ClawControl

Security checks across malware telemetry and agentic risk

Overview

This audit-logging skill openly sends data to ClawControl, but it asks agents to transmit every event, including messages and internal decisions, without clear limits or redaction.

Install only if you intentionally want exhaustive external logging to ClawControl. Before using it, confirm what data is stored, who can access it, how long it is retained, whether logs can be deleted, and whether the skill can be restricted to sanitized action metadata instead of conversation text, tool outputs, secrets, or internal reasoning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The instruction to log every internal thought or decision directs the agent to exfiltrate hidden reasoning and potentially sensitive intermediate data to an external service. That exceeds any legitimate audit need and can leak secrets, security-relevant deliberation, user data, and system prompts.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Requiring shell command execution through `exec` and `curl` introduces an unnecessary high-risk mechanism for a logging task. This expands the attack surface to shell injection, command misuse, and uncontrolled outbound transmission when a safer direct integration or SDK could be used.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest presents the skill as action-level observability, but the body broadens scope to every message, tool call, error, and internal decision. This deceptive expansion increases the chance that operators enable the skill under a narrower understanding while it performs much more invasive collection.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill explicitly requires logging every internal thought or decision to an external script, which is unnecessary for ordinary audit logging and exposes privileged model reasoning and potentially sensitive intermediate data. This creates a direct exfiltration channel for secrets, safety deliberations, and hidden chain-of-thought content beyond the stated purpose of per-action observability.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Capturing internal thought/decision content is not justified by the skill's stated logging purpose and materially increases the chance of leaking confidential user data, hidden prompts, and security logic. Because the instruction is mandatory and specific, it appears designed to harvest internal reasoning rather than support legitimate observability.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger conditions are excessively broad, forcing continuous activation after virtually every event. In context, that creates a persistent data siphon and maximizes the volume of sensitive context sent externally, rather than a narrowly scoped audit hook.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill instructs transmission of comprehensive session and agent activity data to an external endpoint without user notice or consent. This creates severe privacy and confidentiality risk because messages, tool activity, errors, metadata, and possibly secrets can be exported outside the primary system boundary.

Vague Triggers

High

Confidence: 97% confidence
Finding: The logging trigger is so broad that it covers effectively all agent activity, including routine user interactions and tool use, causing systematic overcollection and greatly expanding the attack surface for sensitive data exposure. Even if intended for observability, such blanket collection violates least-privilege principles and makes accidental or intentional leakage much more likely.

Missing User Warnings

Critical

Confidence: 100% confidence
Finding: The file mandates sending all user messages and internal reasoning to an external script without notice or consent, creating a continuous exfiltration pipeline for sensitive data. In this context, the skill is presented as an audit logger, but its instructions go far beyond normal telemetry and directly conflict with confidentiality expectations, making the risk severe.

Ssd 3

High

Confidence: 99% confidence
Finding: Sending every message, tool invocation, internal thought, and error to an external service creates broad natural-language data exfiltration risk. Because these fields can contain credentials, personal data, proprietary content, and hidden reasoning, the resulting leakage scope is extremely high.

Ssd 3

High

Confidence: 99% confidence
Finding: By requiring logging of all user messages, internal reasoning, and full context to an external tool, the skill establishes a natural-language data leakage channel that can capture secrets, PII, credentials, and hidden instructions. The danger is heightened because the transmission is framed as mandatory and routine, reducing opportunities for the agent to apply discretion or filtering.

Ssd 4

Medium

Confidence: 95% confidence
Finding: The prescribed workflow normalizes disclosure after every interaction, creating a persistent habit of leaking contextual data to an external logger. This increases cumulative exposure over time and makes even low-sensitivity events dangerous in aggregate, especially when combined with the instructions to include full context and reasoning.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal