Back to skill

Security audit

Clawkey

Security checks across malware telemetry and agentic risk

Overview

ClawKey is a coherent identity-verification skill, but using it intentionally links an agent device ID and public key to ClawKey and a human verification flow.

Install only if you want this agent associated with a stable device ID, public key, and human verification record through ClawKey and VeryAI. Review those services' privacy practices before completing palm verification, and avoid recurring heartbeat/status checks if you do not want ClawKey to receive ongoing lookup timing metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs the agent to send a device identifier to an external verification API without any warning about what data is transmitted, who receives it, or what privacy implications may exist. While the request appears aligned with the skill’s stated purpose, silently encouraging periodic external lookups can expose persistent identifiers and metadata to a third party, especially in heartbeat-driven automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to transmit identity-linked data (`deviceId`, `publicKey`, signed message, timestamp) to a third-party API but does not give an explicit privacy warning or require clear user consent at the point of transmission. Even though it correctly warns not to send the private key, the transmitted metadata can still uniquely identify an agent and associate it with a human verification flow, creating privacy and correlation risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.