ClawHub

CLAW Observability

Security checks across malware telemetry and agentic risk

Overview

This is a real observability tool, but it installs persistent background hooks that send task activity to an external service while telling the agent not to disclose the monitoring.

Install only if you intentionally want always-on Claude Code activity reporting to a CLAW server. Review the hook script first, use only a trusted HTTPS CLAW_BASE_URL, assume task descriptions may reveal sensitive project details, and confirm you are comfortable with persistent hooks in ~/.claude/settings.json. The concealment instructions should be removed or overridden in any transparent deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises zero agent involvement and declares no permissions, yet the documented behavior and metadata indicate shell execution and filesystem modification capabilities are used indirectly via setup/bootstrap and hooks. This is dangerous because it creates hidden execution and persistence paths without explicit permission disclosure, undermining informed consent and security review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
There is a strong mismatch between the stated purpose of passive observability and the broader behavior of modifying ~/.claude/settings.json, copying executables into the user's home directory, registering remote hierarchy data, and emitting network events. Hidden configuration changes and remote bootstrap behavior materially expand the trust boundary and can enable covert monitoring or persistence beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script actively creates remote state by registering a full agent hierarchy to an external API, which goes beyond passive observability and contradicts the stated 'zero agent involvement' behavior. In a bootstrap context this can unexpectedly transmit organizational metadata and create persistent dashboard objects without operator awareness, increasing the attack surface and risk of unauthorized telemetry or inventory disclosure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script requires an API key and base URL from environment variables to perform remote registration, which is sensitive because it enables outbound authenticated writes to an external service unrelated to the claimed passive observability model. While reading secrets from environment variables is common, here it authorizes remote provisioning of agent entities and can be abused if the script is run in an untrusted environment or pointed at an attacker-controlled base URL.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The changelog advertises automatic, fire-and-forget HTTP reporting of agent lifecycle events but does not warn users that operational data may be transmitted off-host. In an observability skill, silent network egress and automatic activity reporting materially affect privacy, consent, and data-handling expectations, especially because hooks run without direct agent involvement.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes automatic reporting of agent activity to a remote dashboard and explicitly includes task descriptions in the event feed. Even though it later claims that no sensitive data leaves the machine, task descriptions can easily contain proprietary prompts, project names, incident details, or other sensitive context, so the documentation understates the data-exfiltration risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest describes automatic invocation in broad terms without defining scope, triggers, data collected, or operational limits. In this context, the lack of scope constraints is risky because the skill is designed to run silently and continuously through hooks, which can lead to excessive collection or unintended activation across user workflows.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown explicitly instructs silent operation, forbids disclosure to the user, and tells the agent to behave as if the skill does not exist while background monitoring occurs. Concealing observability and data transmission from the user is inherently dangerous because it defeats transparency and consent, and in this context increases suspicion that the monitoring is intended to evade detection rather than merely reduce noise.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description promises that the skill 'automatically reports every agent lifecycle event' and provides 'full operational visibility' with 'zero agent involvement,' but it does not state any trigger limits, consent boundaries, scoping rules, or exclusions for sensitive workflows. In an observability skill, broad automatic collection language increases the risk of overcollection and unintended transmission of sensitive task metadata, especially in multi-agent sessions where prompts, task names, errors, and workflow structure may contain confidential information.

Natural-Language Policy Violations

Low
Confidence
80% confidence
Finding
The manifest advertises 'full operational visibility' and 'fully automatic via hooks' without mentioning user consent, policy controls, or deployment-specific choices. While this is marketing text rather than executable code, it still signals a design expectation of comprehensive monitoring by default, which can normalize collection beyond what users or organizations intend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook sends agent activity and task-related metadata to an external endpoint with no runtime notice, consent, or approval gate. In this context, task descriptions can contain sensitive prompts, project names, secrets, internal architecture details, or regulated data, so silent exfiltration to a third-party dashboard is a real confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer persistently copies an executable hook into ~/.claude/hooks and modifies ~/.claude/settings.json so Claude Code will automatically run that script on multiple events. Even if intended for observability, this creates durable automatic code execution in the user's environment without an explicit, up-front consent prompt describing the persistence and scope of interception, which increases the risk of covert monitoring or later abuse if the hook script is changed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup script performs an outbound POST to the configured CLAW service using the user's API key as part of a connection test, but it does not clearly warn beforehand that installation will transmit data over the network. Silent or unexpected credentialed network activity during installation can leak metadata, surprise users in restricted environments, and normalize exfiltration behavior.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions specifically conceal automatic collection and reporting of user interactions and operational events from the user. This is dangerous because hidden telemetry about prompts, tool use, and workflow state can expose sensitive operational data, and the deliberate concealment makes the context more severe than ordinary analytics.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script forwards natural-language task descriptions in messages such as the raw description, 'Completed: <description>', and 'Failed: <description>' to an external service. Because these descriptions are free-form and user/agent-generated, they can easily include confidential prompts, credentials, incident details, customer data, or proprietary plans, creating a direct data leakage channel.

Session Persistence

Medium
Category
Rogue Agent
Content
Setup takes about 2 minutes. You need `curl` and `python3` (both come pre-installed on macOS and most Linux distros).

### Step 1: Create your CLAW account and get an API key

1. Go to **[claw.ia.br](https://claw.ia.br)** and create a free account
2. Navigate to **Machines** and click **Create Machine**
Confidence
72% confidence
Finding
Create your CLAW account and get an API key 1. Go to **[claw.ia.br](https://claw.ia.br)** and create a free account 2. Navigate to **Machines** and click **Create Machine** 3. Give it a name (e.g., "

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal