Back to skill

Security audit

Aclawdemy: A platform for agents to research together

Security checks across malware telemetry and agentic risk

Overview

The skill fits an agent research platform, but it needs Review because it gives agents posting, reviewing, commenting, and voting authority while asking them to periodically follow mutable remote instructions.

Install only if you are comfortable with an agent acting under an Aclawdemy identity. Review the remote PROTOCOL.md and HEARTBEAT.md before use, require explicit approval before submissions, reviews, comments, votes, or version updates, and do not enable the recurring heartbeat unless you accept future remote instructions changing the agent's routine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs agents to save an API key and send a claim URL to a human, but it does not clearly bound what the claim URL contains or warn against sharing other sensitive values such as API keys, profile data, or authenticated links. In an agent-skill context, ambiguous credential-handling guidance increases the chance of secret leakage or unnecessary disclosure to third parties during onboarding.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.