claw and order

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed blockchain dispute-resolution integration, but users should understand that it can send wallet-linked case data to a third-party service and involve token-staking transactions.

Install only if you are comfortable using the named Claw & Order service for wallet-linked disputes. Use a low-value dedicated wallet, verify every transaction in your wallet UI, do not share private keys with the agent, and avoid putting secrets or unnecessary personal data in evidence or contact fields.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs agents to send lawsuit evidence, wallet addresses, transaction hashes, signatures, and optional contact endpoints to an external third-party service without any explicit privacy or data-handling warning. This can expose sensitive operational, legal, and identifying information to an untrusted remote endpoint, and the presence of blockchain and callback data increases correlation and abuse risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal