Outclaw Style

Security checks across malware telemetry and agentic risk

Overview

This style-learning skill has a coherent purpose, but it can read and persist private sent-message content across many connected accounts with broad consent and limited retention controls.

Install only if you are comfortable letting this skill access sent-message history from connected accounts and save both raw samples and learned style profiles locally. Before use, confirm which channels and accounts are included, prefer exports or official APIs over browser scraping, and make sure you have a way to review and delete the raw training files, style files, and memory entries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documented storage path writes learned style prompts to a single tenant-agnostic location in the user's home directory, which conflicts with the manifest's stated per-tenant scope. In a multi-tenant environment, this can cause one tenant's learned style to overwrite or be reused by another tenant, creating cross-tenant data leakage and integrity issues.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The reference explicitly directs browser automation scraping of LinkedIn sent messages, which expands the skill from message-style analysis into automated extraction from a third-party account. That creates avoidable privacy, account-integrity, and terms-of-service risk, especially because the content being harvested is private correspondence and the method is more invasive than necessary.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Requiring a local CLI (`gog`) introduces host-level command execution into a skill whose purpose is style learning, increasing the attack surface and coupling the skill to local system capabilities. Even if the command itself is legitimate, this design crosses a trust boundary and could expose message contents or system context in ways users do not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly persists raw outbound message samples to disk as training data, but the user-facing description does not clearly warn about this retention behavior. Even with a consent section later in the file, hidden persistence of private communications increases privacy and compliance risk because users may not understand that their message contents are being stored verbatim.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill instructs persistent writes to a home-directory file without any explicit user-facing notice or consent flow. While not inherently dangerous by itself, silent persistence can surprise users, retain potentially sensitive writing-style data longer than expected, and increase privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill collects and analyzes private outbound communications across email, Slack, WhatsApp, and LinkedIn, but the reference does not present a clear privacy notice or explicit informed consent before broad multi-channel ingestion. Because these messages may contain sensitive business, personal, or third-party data, silent or auto-triggered collection materially increases privacy risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Scraping LinkedIn sent messages through browser automation is a privacy-sensitive action with potential account and platform consequences, yet the reference includes no warning or consent language about those risks. Users may not realize the skill is automating access to private message history on their behalf.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Saving learned style prompts derived from private communications to a predictable local filesystem path creates a persistence risk: sensitive stylistic fingerprints and potentially embedded business context may remain accessible beyond the session. Without disclosure, retention controls, or access protections, this can leak user or tenant-specific communication traits to other local users or processes.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The skill directs the system to persist learned style prompts derived from users' private outbound communications in tenant-scoped files for later reuse. Retaining behavioral summaries of private communications creates durable sensitive data that could expose communication patterns, preferences, or inferred personal information if accessed by other components or an attacker.

Ssd 3

Medium

Confidence: 99% confidence
Finding: This instruction explicitly writes raw outbound messages to persistent storage as JSONL training data. Raw message histories can contain sensitive personal, commercial, or regulated information, and storing them in reusable plaintext-like artifacts materially increases breach impact and secondary misuse risk.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill creates reusable memory records summarizing information inferred from user communications so other skills can quickly reuse it. Cross-session memory of inferred traits expands the blast radius of any over-collection because downstream agents may consume those summaries without revisiting consent or necessity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal