clawgrep

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local semantic search helper; its network download and local caching are expected for its purpose and are documented.

Before installing, verify that the clawgrep package or repository is the one you intend to trust. Expect a first-run model download and persistent local cache; use narrow search paths, --no-cache, or a dedicated cache directory when searching sensitive temporary content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The skill does perform a first-run network download from Hugging Face and writes the model to a local cache, but this behavior is not surfaced clearly enough as an operational warning in the main skill guidance. That can mislead users or calling agents into assuming the tool is fully local/offline, which matters in restricted environments where unexpected outbound access or local persistence is prohibited.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal