ClawHub

AMLClaw

Security checks across malware telemetry and agentic risk

Overview

AMLClaw is a real AML compliance toolkit, but it needs review because it combines sensitive third-party screening, weak API-key handling, automatic local file writes, jurisdiction-specific enforcement defaults, and law-enforcement seizure/spyware reference material.

Install only after reviewing the TrustIn data-sharing path, how API keys are stored and transmitted, and which jurisdictional rules should apply to your organization. Use explicit user confirmation before copying defaults or saving reports, keep generated graph/report files out of public repos, and avoid relying on the bundled law-enforcement seizure or spyware material for normal compliance workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This reference materially expands from AML/compliance into operational guidance for spyware, remote compromise, covert monitoring, and state hacking. In a skill marketed for compliance screening and rule generation, bundling detailed offensive investigative tradecraft increases the chance the agent will surface or operationalize invasive cyber-investigation steps that are outside the intended user scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description promises AML screening, policy generation, and compliance support, but the bundled content shifts into seizure, confiscation, surveillance, and law-enforcement investigation operations. That mismatch creates scope confusion and raises the risk of the model giving enforcement or intrusive operational advice to users expecting compliance guidance.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
These sections provide explicit procedures for accessing wallets, exploiting unlocked devices, transferring virtual assets, and operationalizing seizure/confiscation workflows. In a compliance-focused skill, such detailed tactics create a meaningful misuse path by enabling asset-taking or device-access guidance rather than defensive compliance analysis.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation text includes broad phrases like 'AML', 'compliance', 'screen address', and 'rules', which can cause the skill to trigger in ordinary conversation and steer the agent into shell, file, or web-enabled behavior unexpectedly. Because the skill can write files, run commands, and use network access, accidental activation increases the chance of unintended side effects or data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to automatically copy a default ruleset into the working directory if rules.json is missing, without first obtaining user consent. Silent filesystem modification is dangerous because it changes project state, can overwrite expectations about local policy selection, and may influence downstream compliance results without the user's awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow directs the agent to write reports to the local filesystem automatically after processing, again without an upfront warning or confirmation. In an agent context, unannounced file creation can leak sensitive compliance outputs, clutter repositories, or place regulated data in insecure locations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API key guidance recommends export flags and .env storage but does not warn that command-line flags may end up in shell history, process listings, logs, or checked-in files. For a security-sensitive skill that interacts with external services, weak secret-handling guidance can expose credentials and enable unauthorized use of the TrustIn account or associated data access.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
This policy is framed as authoritative Hong Kong SFC AML/CFT guidance and says it 'applies to' VASPs/VATPs under the SFC framework, but it does not clearly constrain use to Hong Kong-regulated entities or require explicit jurisdiction selection before application. In a multi-jurisdiction AML skill that ships 'out of the box' policies, this creates a realistic risk that users or downstream agents will apply Hong Kong-specific thresholds, freezing rules, and reporting expectations in the wrong jurisdiction, causing mis-compliance and potentially harmful account handling decisions.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
This ruleset encodes Dubai VARA/UAE AML actions such as freezing, rejecting, EDD, and threshold-based CDD directly in a default rules file without an explicit jurisdictional scope gate or runtime opt-in. In a compliance toolkit that 'works out of the box,' this can cause operators to apply UAE-specific enforcement logic to users or transactions outside the intended regulatory perimeter, leading to incorrect account restrictions, compliance misclassification, and operational/legal harm.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file ships a Singapore/MAS-specific enforcement ruleset as a default artifact, with actions like Freeze, EDD, and Review encoded directly into the policy and no visible jurisdiction selector, acknowledgment, or opt-in mechanism in the file. In a compliance skill that claims broad multi-jurisdiction coverage, silently applying one jurisdiction's thresholds and legal assumptions can cause incorrect compliance decisions, overblocking, or under-enforcement when used in other locales.

Missing User Warnings

Low
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to write a Markdown report to a local path under ./reports without any user confirmation or warning. Unprompted filesystem writes are a real security concern because they modify the user's environment and can be abused for persistence, data clobbering, or chaining with other local-file workflows, even if the immediate action appears routine.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document normalizes use of spyware, keyloggers, covert interception, and remote intrusion techniques while providing implementation framing and examples. Even though framed as law-enforcement guidance, placing this in a general compliance skill without strong safeguards increases the likelihood of privacy-invasive or unlawful surveillance advice being surfaced.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance contains operational recommendations for transferring seized assets, acting quickly on unlocked devices, reconstructing wallets from seed phrases, and moving funds irreversibly. In a non-law-enforcement compliance context, that can facilitate wrongful asset movement, irreversible loss, or harm to legitimate owners if surfaced as actionable guidance.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script transmits wallet addresses and investigation parameters to an external third-party API and writes returned graph data locally without any explicit privacy notice, consent flow, or data-handling safeguards. In an AML/compliance context, investigated addresses, time windows, and graph results may be sensitive investigative data, so silent transmission can create privacy, confidentiality, and regulatory exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API key is appended to the query string, which is commonly logged by reverse proxies, application servers, browser/history tooling, and monitoring systems. Even over HTTPS, URL-based secrets can leak through logs and observability pipelines, making credential exposure more likely than if the key were sent in an Authorization header.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=0.19.0
Confidence
97% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
python-dotenv>=0.19.0
Confidence
94% confidence
Finding
python-dotenv>=0.19.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
92% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
80% confidence
Finding
python-dotenv

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal