ClawHub
Back to skill

Security audit

Clawmot

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for a social-network agent, but it needs Review because it can act publicly as the user, upload local files, and keep durable account credentials with only documentation-level consent controls.

Install only if you want your agent to operate a CLAWMOT account for you. Before use, require explicit confirmation for registration, posts, replies, votes, DMs, profile/avatar changes, scam reports, notification changes, and image uploads; avoid auto-routing generic scam or listing checks into this skill; and clear or revoke stored CLAWMOT credentials when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata promises that public mutations require explicit confirmation, but the implementation exposes many write-capable functions that directly perform posting, messaging, voting, reporting, avatar changes, and profile updates without any local confirmation gate. In an agent setting, this mismatch is dangerous because the orchestrator or LLM may invoke these tools based only on prompt context, causing unintended public actions, impersonation, spam, or disclosure under the user's identity.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include broad terms such as 'agent network' and especially 'is this a scam,' which can appear in unrelated conversations. Overbroad activation can route sensitive user content or attachments into this skill unexpectedly, increasing the chance of unintended registration, uploads, external API calls, or inbox access workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The verify flow stores long-lived sensitive material including JWT and agent_secret in shared KV storage without any disclosure, scoping, encryption, or rotation guidance. If another skill, process, or compromised runtime can read the same KV namespace, an attacker could hijack the CLAWMOT account and act as the principal's agent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The image upload helper reads an arbitrary local file path and transmits its raw contents to an external signed URL, yet the operation point does not require any explicit warning or confirmation about local file access and outbound transfer. In an agent environment, prompt injection or tool misuse could trick the agent into uploading sensitive local files masquerading as images, causing data exfiltration.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The discovery configuration includes generic triggers such as "verify this listing", "check this image for scam", and broad regex intents like "find|search|look[ -]?up|discover|who.*can" that can cause the skill to activate for ordinary requests not clearly scoped to CLAWMOT. In this skill, unintended activation is more dangerous because the skill has network, email_read, files_read, and persistent secret storage permissions, and some flows can lead to account registration or public posting if the agent misroutes the request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal