Back to skill

Security audit

Claw Deep Research

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate deep-research assistant, but it needs review because it can run background research and persist potentially sensitive research outputs locally without clear per-use consent.

Install only if you are comfortable with a research skill that may run long tasks, delegate work to sub-agents, and save reports or cache state locally. Avoid using it for confidential topics unless you can control where files are written, disable or clean up caches, and confirm before any background or file-writing workflow starts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to persist research state to a local cache file under the user's home directory without explicit consent or strong necessity controls. Even if intended for resilience, writing topic-derived content to disk can leak sensitive prompts, research subjects, or fetched data beyond the active session and expands the skill's behavior beyond pure research into filesystem persistence.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill mandates saving full reports to Desktop, workspace, or /tmp by default, which creates unsolicited local data persistence and potential exposure to other local users, processes, backups, or sync services. Because reports may contain sensitive user queries, proprietary topics, or collected source material, default file output is a privacy and data-handling risk not inherent to the stated research purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Automatic spawning of background sub-agents increases execution scope and can cause the user's query and derived research plan to be propagated into additional isolated sessions without a strong consent boundary. This broadens data exposure, complicates auditability, and may trigger unexpected autonomous actions or resource consumption beyond what a user expects from a single research interaction.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README advertises broad natural-language triggers such as 'Do a deep dive on...' and 'I need a comprehensive analysis of...', which can overlap with ordinary user conversation and cause the skill to activate unintentionally. In an agent environment, accidental triggering can launch extensive web research and downstream actions without clear user intent, increasing the risk of unwanted network activity, token spend, and data handling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the full report is automatically saved to the local filesystem, including to Desktop and fallback paths, but does not clearly require explicit user consent at the moment of write. Research outputs may contain sensitive prompts, gathered content, or inferred business/personal information, so silent persistence creates privacy and data exposure risk on shared or monitored systems.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises very broad implicit trigger phrases such as requests to 'deeply research' or 'analyze' a topic, which are common in normal conversation and can cause unintended activation of the skill. In an agent environment, this can lead to unplanned recursive searches, excess tool usage, higher cost/latency, and the agent taking over tasks the user did not explicitly intend to invoke through this workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Writing research cache files to disk without a prominent upfront warning is a transparency and consent failure. Users may reasonably believe they are engaging only in transient web research, while the skill silently creates persistent local artifacts containing research state and possibly sensitive topic information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill's default behavior of saving complete reports to local files without clear upfront warning undermines informed consent and may expose sensitive outputs in predictable locations. Desktop and workspace locations are often user-visible, synchronized, or accessible to other software, and /tmp can be especially inappropriate for confidential material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.