ClawHub

Agent Tool Scout

Security checks across malware telemetry and agentic risk

Overview

This skill openly aims to let an AI control Mac apps, but its default scope is broad enough that users should review it carefully before installing.

Install only if you are comfortable giving a trusted AI agent broad control over local Mac apps and logged-in app sessions. Use a virtual environment, review the external package source, grant macOS Automation and Accessibility permissions narrowly, require confirmation before reading Mail/Calendar/Reminders or before any send/move/archive/delete action, and remove MCP registration or generated wrappers when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes AI-driven access to Mail, Calendar, Reminders, Finder, music players, and UI scripting across arbitrary Mac apps, but it does not prominently warn about the sensitivity of personal data exposed or the consequences of granting Automation and Accessibility permissions. In an agent-integrated context, this can lead users to enable broad system capabilities without understanding that the agent may read private content or perform impactful actions across applications.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger rule is extremely broad: 'ANY mention of a Mac app → try CLAM first.' In a skill that can read mail, calendar entries, reminders, browser state, and manipulate files or apps, such aggressive auto-invocation can cause the agent to enter sensitive external-app workflows without first establishing necessity, least privilege, or user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read from Calendar, Mail, and Reminders and synthesize a briefing, but it does not require an upfront privacy warning or explicit consent before accessing those sensitive data sources. Because these apps commonly contain personal, confidential, and business information, normalizing read access as 'zero risk' understates the privacy impact.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The general app-control section tells the agent to scan, inspect commands, install, and execute, but does not require a warning that actions may immediately affect live applications. In this context, CLAM can activate apps, manipulate UI, open files, or trigger side effects in external programs, so omission of an execution warning increases the chance of surprising or unauthorized actions.

File System Enumeration

Medium
Category
Data Exfiltration
Content
User says: "Clean up my Downloads folder" / "帮我整理 Downloads"

1. Use Finder to list all files in ~/Downloads (name, size, date, type)
2. Categorize: documents, images, installers, code, temp files
3. **Show the plan to the user FIRST — list what goes where**
4. After user confirms: create subfolders, move files
Confidence
86% confidence
Finding
list all files in ~

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
Claude will automatically call `clam_find_app` → `clam_install` → `clam_execute` — no manual setup per app.

**Available MCP tools:**

| Tool | Description |
|------|-------------|
Confidence
95% confidence
Finding
tools:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal