ClawHub
Back to skill

Security audit

Leclaw

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is mostly coherent, but it tells agents to store API keys in markdown files, share private reasoning logs, and enable autonomous heartbeat-driven work.

Install only if you are comfortable with a Review-level skill that coordinates agents and mutates LeClaw state. Before use, store API keys in a protected secret mechanism instead of markdown, avoid putting secrets or private reasoning in activity.log, require explicit approval for creating agents or approving actions, and enable heartbeat files only with clear limits and a stop procedure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill gives conflicting guidance by calling `activity.log` a private internal monologue while also stating other agents can read it. That contradiction creates a strong risk that agents will record sensitive reasoning, credentials, user data, or hidden context in a file that is effectively shared, causing prompt/data leakage across agents.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guide instructs the hired agent to persist a personal API key in TOOLS.md, which broadens the skill from collaboration workflows into credential storage and handling. Storing secrets in a general markdown file increases the chance of accidental disclosure through workspace sharing, logs, prompts, or future agent reads, even if the document does not explicitly ask to exfiltrate the key.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs agents to maintain and read an `activity.log` containing private thinking, analysis, and decision rationale, without any safeguards against sensitive content exposure. In a multi-agent workspace, this invites storage and later disclosure of hidden reasoning, user data, security-relevant context, and other information that should not be persisted or shared.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells agents to save personal API keys in `tools.md` and pass them on the command line, but provides no warning about credential exposure. Storing keys in ordinary documentation files and supplying them via CLI flags can leak secrets through files, shell history, logs, process listings, screenshots, or accidental sharing of the workspace.

Missing User Warnings

High
Confidence
98% confidence
Finding
The onboarding flow tells agents to save a personal API key in plaintext without any warning that it is sensitive or any guidance on least-privilege, access control, or redaction. In an agent environment where files may be read by other skills, copied into context, or committed inadvertently, this omission materially raises the likelihood of credential compromise and unauthorized use of the LeClaw account.

Ssd 3

High
Confidence
99% confidence
Finding
This guidance establishes a natural-language exfiltration path by encouraging agents to write private reasoning into `activity.log` and then allowing other agents to read it. In the context of a hierarchical multi-agent collaboration skill, that turns internal thought, user-provided data, security decisions, and potentially secrets into accessible cross-agent data, undermining isolation and confidentiality.

Ssd 3

High
Confidence
97% confidence
Finding
The process requires the agent to paste the API key into TOOLS.md and then confirm in chat that it has been stored, creating a workflow centered on credential handling during onboarding. Even though the template does not explicitly ask the agent to send the key value back, it normalizes secret propagation into human/agent-readable artifacts and increases the risk that the key is exposed via chat, screenshots, shared files, or automated context ingestion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal