ClawHub

Clawguard Skill

Security checks across malware telemetry and agentic risk

Overview

ClawWall is a disclosed local DLP tool, but its defaults can expose the scanner on the network and allow sensitive outbound data to bypass protection.

Install only if you are comfortable with a persistent local service that inspects outbound tool-call content. Before relying on it for DLP, bind the service to 127.0.0.1, set blockOnError=true for fail-closed behavior, review the PyPI package source, and avoid relying on REDACT until multi-argument redaction is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while its documented behavior clearly requires shell execution, network access, environment interaction, startup hooks, and persistent service installation. This is dangerous because it obscures the actual trust boundary and can cause operators to install a component with broader system reach than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a simple hard-regex outbound DLP control, but the documented behavior includes a resident background service, config mutation, local HTTP transport, metadata transmission, autostart hooks, and OS-level persistence. This mismatch is dangerous because users may approve a narrowly described safety tool without realizing it introduces a privileged local service and additional attack surface.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The plugin serializes outbound tool-call arguments and sends the full content to a scanning service over HTTP at `http://127.0.0.1:8642/api/v1/scan`. Even if bound to localhost, this means sensitive data leaves the originating tool context before any enforcement decision is made, contradicting the claim that secrets and PII are prevented from leaving the machine; additionally, use of plaintext HTTP increases interception or local service impersonation risk on compromised hosts.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The default configuration sets `blockOnError: false`, and `beforeToolCall` explicitly returns `{ allow: true }` when the scanning service is unreachable or errors. This creates a fail-open path where sensitive outbound content is transmitted without any DLP enforcement, directly undermining the plugin's stated purpose of blocking secrets and PII from leaving the machine.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
When the scanner returns `REDACT`, the code replaces only the first string argument and leaves any additional string fields untouched, despite comments implying broader protection. In a multi-argument tool call, sensitive data in later arguments can therefore bypass redaction and still be transmitted externally, creating an incomplete and misleading DLP control.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The plugin’s behavior does not match its stated security posture of hard blocking outbound secrets/PII. It can fail open when the scanning service is unreachable, allow risky content after interactive approval, and permit redacted outbound transmission, all of which can let sensitive data leave the machine despite the DLP promise. In a security control whose purpose is outbound prevention, this mismatch is dangerous because operators may rely on stronger guarantees than the code actually enforces.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The REDACT path claims to replace all string arguments, but the implementation only replaces the first string argument and then breaks out of the loop. If sensitive content exists in later string fields, the tool call is still allowed and those unredacted values can be exfiltrated, directly undermining the DLP control. In this context, partial redaction is more dangerous than a normal bug because it creates a false sense of protection while permitting leakage.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest and metadata describe the skill as a local, domain-controlled outbound DLP layer with 'no LLM', but the configuration explicitly delegates scanning decisions to a separate service via a URL. Even though the default points to localhost, using plain HTTP and an externally configurable endpoint weakens the trust boundary and can allow sensitive outbound content to be sent to an unintended service, contradicting the stated security model.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill is presented as a hard-blocking DLP control, but the documented default behavior is fail-open when the scanning service is unreachable. That means an attacker, malware, or even a transient outage can bypass outbound inspection entirely, allowing secrets or PII to leave the machine precisely when the protection layer is degraded.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The installer configures the service with CLAWGUARD_HOST=0.0.0.0 in both the systemd and launchd service definitions, which exposes the DLP service on all network interfaces rather than limiting it to localhost. For a local outbound-filtering component, this unnecessarily expands the attack surface and could allow other hosts on the network to interact with the service, potentially bypassing assumptions about local-only trust or reaching administrative/debug endpoints.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The hook documentation describes automatically starting a background service on gateway startup, writing a PID file in the user's home directory, and waiting for readiness, but it does not mention consent, visibility, lifecycle management, or user warning about these system changes. In a security-sensitive agent environment, silent autostart behavior expands persistence and execution surface, making unexpected process creation harder for users to detect and control even if the stated purpose is defensive DLP.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal