ClawHub

Mu Pet

Security checks across malware telemetry and agentic risk

Overview

This desktop pet appears mostly purpose-aligned, but it needs Review because it can persist at login and silently inspect the frontmost app/window metadata.

Install only if you are comfortable with a desktop pet that may start automatically at login, restart itself, and observe which app/window is currently frontmost. Prefer manual launch unless you specifically want login persistence, and look for clear uninstall instructions and a setting to disable frontmost-window avoidance/inspection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The app repeatedly invokes AppleScript via osascript to inspect the frontmost application's window position and size. For a decorative desktop pet, this grants visibility into other applications' activity and window metadata that exceeds least-privilege expectations, creating unnecessary privacy and surveillance risk even though the command itself is not shell-injection vulnerable here.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown instructs users to install a LaunchAgent that runs at login and uses KeepAlive, creating persistent background execution without an explicit warning about persistence implications. Persistence is security-sensitive because it survives reboots, increases attack surface, and can make removal harder if the app behaves unexpectedly or is later compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code inspects the frontmost application and window through AppleScript without any visible notice or consent flow in this file. Because frontmost-window metadata can reveal what the user is doing, silently collecting it for a mascot feature creates an avoidable privacy issue and normalizes hidden monitoring behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal