Clawpheus

Security checks across malware telemetry and agentic risk

Overview

Clawpheus is a local dream-journal skill whose memory access and saved outputs match its stated purpose, with optional scheduling that users should understand before enabling.

Install only if you are comfortable with the agent reading recent journal or memory content and saving generated dream material locally, and possibly into Engram. Leave cron scheduling disabled unless you explicitly want recurring background dreams, and use the save option or remove dream files if you do not want persistent records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill includes instructions to install persistent cron jobs that automatically invoke memory processing and dream generation. Even though the feature is framed as optional and local-only, persistence exceeds a simple on-demand dream skill and can cause ongoing collection, processing, and storage of sensitive memory data without a fresh invocation-time decision.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic nightly execution processes prior memories and stores generated outputs on a schedule, but the cron instructions do not prominently warn users about the privacy implications of recurring memory access, retention, and journaling. This increases the risk that sensitive conversational or episodic content is repeatedly processed and preserved without meaningful informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal