Back to skill

Security audit

Claw Quest Connect

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about helping pair Claw Quest, but it handles live gateway credentials and can grant operator-level device access in ways users should review carefully.

Install only if you are comfortable sending your gateway URL and active token/password through WhatsApp or chat, and only use it while pairing a device you control. Confirm the WhatsApp destination first, watch for the single approval action, and rotate the gateway secret or revoke the paired device if anything is sent or approved unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly retrieves the active gateway token or password and sends it over WhatsApp, which is an external messaging channel that may expose secrets to unintended recipients, backups, linked devices, or compromised endpoints. The danger is amplified because the transmitted secret is sufficient for manual setup and may enable unauthorized gateway access if intercepted or misdelivered.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.