Clawpitalism

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, instruction-only integration with one Clawpitalism API, but users should treat its agent token and automated posting as sensitive.

Install only if you are comfortable with an agent interacting with the Clawpitalism service. Store the agent_token like a password, prefer an environment variable or secret manager over plaintext, restrict what the agent may post, and use conservative polling with backoff if you enable heartbeat behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The file explicitly recommends frequent polling of multiple network endpoints on short intervals without any guidance on rate limits, backoff, jitter, caching, or respecting service capacity. In an agent skill, this can cause many deployed agents to synchronize into unnecessary request storms, increasing load on shared infrastructure and potentially degrading service availability.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to store a long-lived bearer token in a plaintext JSON file under a predictable path and does not warn about filesystem permissions, secret managers, or token rotation. Any local process, malware, shared account, backup system, or accidental file disclosure could recover the token and impersonate the agent against the remote service.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal