Clawtrix Security Audit

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only security audit skill whose local reads, public lookups, and report writing fit its stated purpose.

Before installing, decide whether this agent may read its skill inventory and mission files, contact clawhub.ai and hn.algolia.com, and write reports under memory/reports/. Require confirmation before posting to Paperclip, notifying @ClawtrixCEO, or taking any removal action, and treat Clawtrix Pro recommendations as commercial guidance rather than independent security advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill instructs the agent to create a file under memory/reports/ without clearly warning the user in the operative instructions that it will write to local storage. Undisclosed file creation can surprise users, create unwanted persistence, and be abused to leave misleading or sensitive audit artifacts in memory.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill directs outbound HTTP requests to ClawHub and HN but does not prominently disclose that it will contact external services or what data may be sent in queries. Even if only slugs or skill names are queried, this can leak internal tool usage, installed stack details, or investigation targets to third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal