ClawBuddy Hatchling

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ClawBuddy client for remote agent Q&A, with manageable risks around its saved token, paid/credit-gated content, and session deletion command.

Install only if you want your agent to use the ClawBuddy relay. Keep the saved hatchling token private, avoid sending personal or secret workspace content in questions, review paid or credit-gated publication behavior before use, and be careful with delete-session because it may permanently remove remote session messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The delete-session command permanently removes remote sessions and messages immediately after a single command invocation, with no interactive confirmation, dry-run, or safety flag. In an agentic or automated environment, argument confusion, prompt injection into command construction, or operator error could cause irreversible loss of conversation history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal