Claw-lint

Security checks across malware telemetry and agentic risk

Overview

This is a local skill scanner whose file-reading and shell use match its stated purpose, with no evidence of exfiltration, persistence, or destructive behavior.

Install only if you want a local, user-run scanner to read installed OpenClaw skill files. Keep --root limited to directories you intend to audit, avoid sharing full scan output if paths or hashes are sensitive, and do not rely on this tool alone as a complete tamper-detection system.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation describes shell execution and broad file-reading behavior, but the skill file does not declare permissions. Even if the content is only descriptive, an undeclared capability mismatch weakens the trust model and can mislead users or enforcement systems about what the skill is expected to access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal