Back to skill

Security audit

ClawGuard-Detector

Security checks across malware telemetry and agentic risk

Overview

This appears to be a defensive threat-detection skill, but it asks for broad monitoring and automatically forwards sensitive threat details to an undeclared sibling learning module without clear controls.

Review carefully before installing. Use only where broad local monitoring of commands, prompts, file paths, and network metadata is acceptable. Disable or remove the self-improving-safety integration unless you explicitly trust that sibling module, and require opt-in controls for logging, learned rules, redaction of secrets, retention, and any blocking or remediation actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while clearly describing shell-capable monitoring and response behaviors, creating a transparency and governance gap. In agent environments, undeclared shell capability can lead operators to approve a skill without understanding that it may inspect commands, monitor activity, or invoke local tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds and diverges from the declared purpose: it describes prompt inspection, persistent rule updates, enforcement actions, and an external self-improving-safety integration while claiming real-time/AI monitoring that is not actually substantiated. This mismatch can cause unsafe deployment decisions because reviewers may grant trust based on a narrow or inaccurate description.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Marking the skill as 'safe' is misleading because the document describes blocking, process termination, evidence preservation, and persistent updates. Mislabeling trust level is especially concerning in a security tool because it may bypass scrutiny while retaining the ability to affect system behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The auto-learning section introduces self-modifying behavior and persistence across sessions by creating and storing new rules from observed activity. Self-modifying security controls are dangerous because they can be poisoned, over-broadened, or used to create durable policy changes without review.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documented ability to kill processes and perform remediation goes beyond threat detection into active enforcement. In an agent runtime, such actions can terminate legitimate workloads, disrupt availability, or be triggered by false positives in pattern matching.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The CLI automatically spawns an external 'self-improving-safety' module whenever a threat event occurs, which expands the trust boundary beyond simple detection into data forwarding and code execution. In a security-monitoring tool, invoking another local module with threat-derived content is risky because it can leak sensitive command/URL/file-path data and creates a hidden execution path whose behavior is not validated here.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that the skill continuously monitors commands, file access, network traffic, and user inputs, but it does not clearly disclose the privacy, consent, data retention, or scope implications of that monitoring. In an agent/runtime environment, such broad observation can capture secrets, credentials, prompts, and sensitive user activity, creating a real privacy and security risk if users are not explicitly warned and controls are not documented.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation criteria are broad enough to trigger on many ordinary interactions, increasing the chance of unnecessary monitoring, false positives, and unintended intervention. Overbroad activation is risky for a security skill because it expands surveillance and enforcement surface without tight user intent boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents persistent logging of incidents and derived rules but does not clearly warn users that their commands and actions may be stored across sessions. Hidden persistence of security-relevant telemetry can create privacy, retention, and compliance issues.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow describes broad monitoring of commands, file access, network activity, and prompts without a clear upfront warning about the scope of inspection. In practice this can expose sensitive user content, credentials, or operational metadata to the skill without informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Threat details including commands, URLs, and file paths are piped to another process without any explicit user notice or consent. In this context, those details may contain secrets, internal paths, or sensitive operational data, so silent forwarding materially increases privacy and security risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.prompt_injection_instructions

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
cli.js:42

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:58