Clawd Modifier

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to customize the Claude Code mascot, but it does so by patching installed CLI program files, including an executable script for byte-level binary modification, with limited upfront warning and control.

Install only if you are comfortable with a skill that can rewrite your installed Claude Code files. Run dry-run modes first, keep backups, prefer explicit --cli-path or --binary targets, and expect updates or integrity checks to undo or conflict with these changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent to read and modify files under the installed Claude Code package, but it declares no permissions. That mismatch undermines consent and review controls because a caller may invoke a skill that can alter local program files without an explicit capability declaration. In this context, hidden file-write behavior is especially risky because it targets a shipped CLI executable/script path rather than a user-owned config file.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description presents mascot customization, but the documented behavior involves directly patching the installed cli.js, extracting internal definitions, and restoring state through reverse patching. That broader capability is security-relevant because it normalizes modification of application internals under an innocuous description, reducing informed user consent and making misuse easier to hide. The mismatch is more dangerous here because the target is executable application code, not isolated asset files.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to match ordinary requests about changing appearance or customizing the mascot, which can cause the skill to activate in situations where the user did not intend file modifications. Because this skill performs local file writes to an installed CLI, overbroad invocation increases the chance of unexpected code patching from benign conversational prompts. The context makes this more serious than a harmless content-generation skill.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The manual modification section gives concrete commands for editing cli.js in place, including sed-based replacement, but does not clearly warn that this alters installed program files and may break integrity, updates, or execution. Direct patch guidance without an upfront safety warning can lead users to unknowingly tamper with application code, creating stability and supply-chain trust issues. This is more dangerous in context because the file resides under a system package path, not an isolated customization directory.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal