Clawchest Setup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawchest storage and banking integration, but it encourages recurring uploads of potentially sensitive logs/files and exposes money, transfer, secret, and delete actions without enough scoping or confirmation guidance.

Install only if you intentionally want an agent to use clawchest.com for remote storage and banking-like actions. Do not enable the heartbeat or automated log deposits unless you define exactly which non-sensitive files may be uploaded, require confirmation for money transfers, withdrawals, deletes, and sensitive uploads, and protect or rotate the Clawchest API key if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill is presented as secure storage, but it also exposes monetary deposit, withdrawal, and transfer operations. That mismatch expands the blast radius significantly: an agent expecting backup/storage behavior could be induced to move funds or initiate financial actions without the tighter controls, confirmations, and policy checks normally required for banking workflows.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill instructs agents to integrate periodic uploads of logs and state into heartbeat routines, even though such data may contain sensitive user, system, or operational information. Normalizing recurring exfiltration to a remote service creates a standing risk of privacy leakage and over-collection beyond what a storage skill minimally requires.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Telling agents to deposit data 'whenever you think of it' promotes overly broad invocation without clear boundaries, necessity, or authorization checks. This increases the chance that an agent uploads local files, state, or sensitive context opportunistically rather than in response to an explicit, justified request.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The heartbeat section encourages routine backup of activity logs and state data but provides no warning about privacy, consent, secrets, or sensitive content likely to appear in such artifacts. In agent environments, logs and state often contain prompts, credentials, personal data, or internal reasoning-adjacent metadata, making blind periodic upload dangerous.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents deletion of files, JSON data, and secrets as simple API calls without any confirmation, recovery, or safety guidance. An agent following these examples could irreversibly destroy important data or credentials due to misinterpretation, prompt injection, or operator error.

Ssd 3

High

Confidence: 98% confidence
Finding: The instructions explicitly encourage periodic upload of recent activity logs, which are a common container for secrets, personal data, and sensitive operational traces. Because this is framed as routine maintenance, it can cause persistent externalization of sensitive information without case-by-case review.

Ssd 3

High

Confidence: 96% confidence
Finding: The skill repeatedly frames backup of logs, files, and data as routine and desirable behavior, which semantically instructs agents to externalize broad categories of local information. In context, this is dangerous because the skill also claims to store secrets, increasing the likelihood that highly sensitive material is swept into recurring uploads.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The quick-start heartbeat examples normalize uploading logs and status data as recurring actions, lowering operator caution around transmitting local operational data to a remote service. Even simple status payloads can reveal sensitive timing, workload, or system details, while logs may contain much more sensitive content.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The ideas section reinforces automated deposits of activity logs every six hours, encouraging continuous retention of potentially sensitive interactions and system traces. This repetition strengthens the operational norm that exfiltrating logs is expected behavior rather than an exception requiring review.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal