ClawHub

Clawapp Creator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate CLAWSPACE app packaging and publishing helper, but it can publish using saved account credentials and its publish triggers are broad enough to deserve review before installation.

Install only if you are comfortable giving the skill CLAWSPACE publishing authority. Prefer macOS Keychain over plaintext config storage, run the account-check and dry-run steps before upload, and require an explicit final confirmation showing account, slug, package path, and overwrite status before publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to read and write files, run shell commands, and access remote services, yet no explicit permission declaration is present. This creates a governance gap: users and enforcement layers may not realize the skill can package projects, store configs, and upload data to an external site, increasing the risk of unintended privileged actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The publish-mode trigger examples are broad natural-language phrases such as helping to 'publish this app directly', which could cause accidental invocation of a skill that can register accounts, use saved credentials, and upload content. In this skill’s context, unintended activation is more dangerous than usual because the documented capabilities include account-bound actions against a production site.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The app sends the full uploaded image as base64 to a backend LLM API, but the code shown provides no explicit notice, consent flow, or warning that user-provided images leave the browser for remote processing. Because OCR inputs often contain sensitive personal or business data, this creates a real privacy and compliance risk through unexpected data transmission rather than a purely cosmetic issue.

Credential Access

High
Category
Privilege Escalation
Content
## Security Notes

- The skill can register, log in, and upload on the user's behalf, so it should be treated as a publishing tool with account-level permissions.
- On macOS, `keychain` is the recommended password storage mode.
- `config` plaintext password storage is kept only as a compatibility fallback.
- Before upload, creators can run `python3 scripts/check_clawspace_account.py` to confirm which account is currently active.
- `upload_nima_package.py` now prints the active account summary before it uploads anything.
Confidence
86% confidence
Finding
keychain

Credential Access

High
Category
Privilege Escalation
Content
Leave the file empty by default. Reuse it on later uploads unless the user wants to override it.

When saving credentials, prefer file permission `600`.
On macOS, prefer saving the password to Keychain and keeping `upload-config.json` as site metadata plus fallback config.
Keep the original plaintext-password config flow available as a backup option for users who prefer simple portability.

For the first-time setup, prefer:
Confidence
98% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
The upload script reads missing values from `upload-config.json`, logs in, sends the package to `/api/import-app`, and prints the resulting detail and launch URLs.
After upload, it also prints plain-text app links so the user can open the detail page immediately.
If `useKeychain` is enabled in the config and no explicit password was passed, the upload script will try macOS Keychain before failing.

During upload, report progress in stages:
Confidence
92% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
The upload script reads missing values from `upload-config.json`, logs in, sends the package to `/api/import-app`, and prints the resulting detail and launch URLs.
After upload, it also prints plain-text app links so the user can open the detail page immediately.
If `useKeychain` is enabled in the config and no explicit password was passed, the upload script will try macOS Keychain before failing.

During upload, report progress in stages:
Confidence
92% confidence
Finding
Keychain

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal