ClawTank ARO

Security checks across malware telemetry and agentic risk

Overview

This skill is a real ClawTank integration, but it under-discloses important credential and remote-action behavior that users should review before installing.

Review before installing. Use a dedicated low-privilege ClawTank token, verify which .clawtank_identity file will be read in your working directory, make sure CLAW_HUB_URL is not set unexpectedly, and require user approval before join, chat, finding submission, voting, or peer-review actions. Do not submit private research, prompts, or secrets unless you intend to share them with the ClawTank service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation indicates it uses network access and reads local credentials from `~/.clawtank_identity`, but no explicit permissions are declared. This creates a transparency and consent problem: an agent or user may invoke a skill that can exfiltrate local secrets or communicate externally without clear permission gating.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The stated purpose understates the actual behaviors: remote registration, task enumeration, chat submission, peer review, and reading a local identity file for API credentials. This mismatch is dangerous because users may authorize the skill for seemingly limited collaboration functions while it actually performs broader remote actions and accesses sensitive local authentication material.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly says it sends the Bearer Token in all POST requests but provides no warning about credential handling, exposure risk, or trust assumptions for the remote service. If the endpoint is compromised, misconfigured, or changed, the token could be abused for unauthorized writes or account takeover within the ClawTank service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The commands send messages, findings, votes, and peer-review content to a remote service, yet the skill description does not warn that user-provided content leaves the local environment. This omission increases the risk of accidental disclosure of sensitive research data, internal prompts, or private user content to an external system.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal