Back to skill

Security audit

Super Clawcompany

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because broad triggers can launch outside coding agents that may change project files without a clear confirmation step.

Install only if you are comfortable letting this skill send task context to external agent runtimes and create or modify files in your chosen project directory. Use dry-run first, avoid sensitive prompts or repository paths, keep API keys out of logs, and review changes before trusting generated code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents use of an environment variable (GLM_API_KEY) and agent runtimes with code-like capabilities, but no explicit permissions declaration is present. This creates a transparency and governance gap: users may invoke a skill that relies on credentialed external services without clear permission boundaries or disclosure of sensitive capability use.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The review gate fails open: if the Review Agent returns malformed output or parsing fails, the code returns true and treats the work as approved. An attacker can exploit this by causing the reviewer to emit non-JSON output or otherwise break parsing, bypassing the only explicit quality and security check in the workflow.

Vague Triggers

High
Confidence
95% confidence
Finding
The README advertises automatic triggering from broad natural-language requests like "帮我创建一个登录页面" / "create a...", which can cause the skill to activate during ordinary conversation rather than from an explicit, high-intent command. In a code-generating skill that can create or modify project files, accidental invocation materially increases the chance of unintended code generation or workflow execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README describes an automated PM/Dev/Review pipeline that generates code and saves files, but it does not clearly warn users that invoking the skill may modify the current project or write new files. In this context, weak disclosure is risky because the skill is explicitly designed for end-to-end app creation, so users may trigger filesystem changes without understanding scope or destination.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger phrases "create a...", "build a...", "implement a...", and "develop a..." are extremely broad and likely to match many ordinary requests. That can cause unintentional activation of a multi-agent coding workflow that generates files and delegates work to other agents without the user explicitly requesting this specific skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The usage conditions say to activate whenever users ask to create, implement, or develop something, but they do not define scope limits, exclusions, or confirmation requirements. This ambiguity increases the chance of over-triggering and unintended autonomous coding actions in contexts where the user may only want advice, not execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description emphasizes collaboration and automation but does not clearly warn users that the skill can generate or modify project files through downstream agents. Without that warning, users may not understand that invoking the skill can lead to concrete code or file changes rather than simple planning assistance.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill instructs users to supply an API key via an environment variable but does not provide clear guidance on secure credential handling, storage, or exposure risks. This can lead to accidental leakage of secrets in logs, shared environments, screenshots, or generated code/config files.

Vague Triggers

Low
Confidence
80% confidence
Finding
The lockfile pulls `libsignal` from a `git+ssh://git@github.com/...` source rather than the npm registry, which weakens supply-chain controls and reproducibility. Even though the dependency is pinned to a specific commit, it bypasses normal registry vetting and can fail closed/open depending on SSH trust, developer keys, and repository governance, increasing risk for builds of this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill forwards the raw userRequest to an external session API (subagent runtime) without any explicit notice, consent, or redaction step. This can expose sensitive prompts, secrets, internal project details, or personal data to external agent infrastructure, which is a real data-transmission/privacy risk in a collaboration automation skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The dev agent is authorized to run in the supplied projectPath and is instructed to create files, but the user is not explicitly warned that automated modifications will be made to the local project. In this context, the skill is specifically designed to build software end-to-end, so silent file creation/modification by an external agent increases the chance of unintended code changes, overwrites, or insertion of unsafe content into the workspace.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Dev Agent prompt includes both task details and the local project path, and the session runs with cwd set to that path, yet the user is not clearly warned that local project metadata will be transmitted externally. Revealing directory structure or internal path names can expose environment details and increase privacy and operational risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The PM Agent sends raw user request content to an external agent session without any explicit disclosure that the request may leave the local environment. If users include secrets, proprietary code requirements, or sensitive business context, this can cause unintended data exposure to remote services or logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Dev Agent prompt includes both task details and the local project path, and the session runs with cwd set to that path, yet the user is not clearly warned that local project metadata will be transmitted externally. Revealing directory structure or internal path names can expose environment details and increase privacy and operational risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The Review Agent sends task information and generated file names to another external session without explicit disclosure. While file names are usually less sensitive than file contents, they can still reveal architecture, features, customer names, or internal project structure.

Ssd 4

Medium
Confidence
93% confidence
Finding
The workflow accepts raw user requests and feeds them into a chained PM→Dev→Review agent pipeline that culminates in file-creating actions, without policy enforcement or semantic safety checks between stages. This enables prompt-injection or harmful task reframing to propagate across agents and increase the chance that unsafe instructions are transformed into trusted internal actions.

Ssd 4

Medium
Confidence
95% confidence
Finding
The PM agent prompt embeds untrusted user input directly as authoritative product requirements. Because the PM output is later treated as structured tasking for implementation, adversarial instructions can be legitimized and carried forward as if they were trusted internal planning decisions.

Ssd 4

High
Confidence
98% confidence
Finding
Task titles and descriptions generated by one model are passed directly into the coding agent, which is run with a project cwd and instructed to create files. This creates a high-risk trust boundary failure where model-generated content gains the authority to drive filesystem-modifying actions, enabling prompt-injection chains, unsafe code generation, or unauthorized project changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:30