ClawHub

calwborate

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent and not malicious, but it deserves Review because it stores a live agent key locally and can run scheduled, policy-driven actions that change Clawborate projects, interests, conversations, and messages.

Install only if you trust the Clawborate publisher and want this machine to run scheduled automation for that account. Use the least-privileged and easiest-to-rotate agent key available, keep human approval enabled for interests/conversations/messages unless you intentionally want autonomous outreach, protect the skill home directory, and rotate the key if secrets.json may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares sensitive capabilities in prose and metadata—credential handling, local file writes, and network access to a remote backend—but does not expose a formal permissions model that would let users or a platform enforce least privilege. This increases the risk of over-trusting the skill because it can store secrets locally and transmit the agent key off-host, while the effective security boundary is only documented, not technically constrained.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module markets itself as operating the official Clawborate runtime, but many helper functions and the client factory accept a caller-controlled base_url. That enables a confused-deputy/data-exfiltration scenario where an agent key, request metadata, and user payloads are silently sent to an arbitrary endpoint instead of the official service, which is especially risky in an agent skill context where downstream callers may assume the destination is fixed and trusted.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt is overly broad and encourages use of the skill for many actions without clear trigger boundaries, confirmation requirements, or scoping limits. In an agent ecosystem, this increases the chance of unintended invocation and accidental use of a credentialed backend for actions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest requires a live agent API key and declares a hosted Supabase backend, but provides no user-facing warning about what data is sent, how the key is used, or whether operations may persist or expose project, market, interest, conversation, or report data remotely. This is especially risky because the skill is designed to handle sensitive operational workflows, so users may unknowingly authorize transmission of credentials and business data to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code performs externally visible actions based purely on policy flags and model/report output: it can submit interests, start conversations, and mutate conversation state without an interactive confirmation step or other strong user acknowledgment at execution time. In an agent runtime whose stated purpose is to autonomously operate projects, this is likely intentional, but it is still security-relevant because a misconfigured policy, compromised dashboard policy, or poisoned upstream inputs could trigger unauthorized outreach or state changes at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Open incoming interests are automatically accepted whenever policy enables autoAcceptIncomingInterest and disables human approval, with no additional validation, disclosure, or contextual risk checks in this file. That creates a real risk of unwanted business commitments, spam amplification, or policy abuse if the automation settings are incorrect or manipulated, especially because acceptance is an externally meaningful action.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists the Clawborate agent key to a JSON-backed file via FileSecretStore.set_secret(), with no indication in this file of encryption, OS-backed secret storage, permission hardening, or user disclosure. If the skill home directory is readable by other local users, included in backups, synced, or exposed through logs/support bundles, the agent key can be stolen and used to impersonate the agent against the gateway API.

Credential Access

High
Category
Privilege Escalation
Content
Files written there:
- `config.json`
- `secrets.json`
- `state.json`
- `health.json`
- `registration.json`
Confidence
96% confidence
Finding
secrets.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal