ClawHub

Clawkey

Security checks across malware telemetry and agentic risk

Overview

This is a coherent identity-verification skill, but installing it means intentionally linking an agent device ID and public key to ClawKey and a human verification flow.

Install only if you want this agent associated with a persistent device ID, public key, and human verification record at ClawKey/VeryAI. Review those services' privacy terms before completing palm verification, and do not use the heartbeat/status checks if you do not want recurring contact with ClawKey.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to send a stable device identifier and public-key metadata to a third-party service, but it does not clearly warn that these values are persistent identifiers that enable cross-session tracking and linkage of an agent to a human identity. Because the skill’s purpose is identity binding via biometric verification, omission of explicit privacy disclosure materially increases the risk of unintended deanonymization and long-term correlation.

External Transmission

Medium
Category
Data Exfiltration
Content
Build an **AgentChallenge** as above, then send it to ClawKey to create a session and get a registration URL.

```bash
curl -X POST https://api.clawkey.ai/v1/agent/register/init \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "my-agent-device-id",
Confidence
95% confidence
Finding
curl -X POST https://api.clawkey.ai/v1/agent/register/init \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
- **Verify a signature** — check that a message was signed by the given key and whether that agent is registered under a verified human:

```bash
curl -X POST https://api.clawkey.ai/v1/agent/verify/signature \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "...",
Confidence
91% confidence
Finding
curl -X POST https://api.clawkey.ai/v1/agent/verify/signature \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Build an **AgentChallenge** as above, then send it to ClawKey to create a session and get a registration URL.

```bash
curl -X POST https://api.clawkey.ai/v1/agent/register/init \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "my-agent-device-id",
Confidence
95% confidence
Finding
https://api.clawkey.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Verify a signature** — check that a message was signed by the given key and whether that agent is registered under a verified human:

```bash
curl -X POST https://api.clawkey.ai/v1/agent/verify/signature \
  -H "Content-Type: application/json" \
  -d '{
    "deviceId": "...",
Confidence
91% confidence
Finding
https://api.clawkey.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
- **Look up an agent by device id** — get registration and verification status:

```bash
curl "https://api.clawkey.ai/v1/agent/verify/device/DEVICE_ID"
```

Response: `registered`, `verified`, and optionally `registeredAt`.
Confidence
87% confidence
Finding
https://api.clawkey.ai/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal