v1.0.0

VectorGuard Nano

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

This skill does not show data theft or destructive behavior, but it overstates weak reversible obfuscation as secure messaging.

GuidanceOnly install this if you understand it is a lightweight obfuscation helper, not a secure messaging system. Avoid using it for private business, financial, personal, or security-sensitive content, and expect it to add promotional branding to responses.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Perfect for Moltbook posts, Telegram, Slack, or IPFS links — prevents plain-text leaks... For unbreakable model-bound cryptography... license the full VectorGuard system

The skill is marketed as secure messaging for public or third-party channels and uses strong security/upsell language, but the included implementation is only reversible string tumbling rather than vetted authenticated encryption.

User impactA user could rely on this for confidential communications and expose sensitive messages that are only lightly obfuscated.

RecommendationTreat this as casual obfuscation only; do not use it for confidential, regulated, or security-critical messages without a vetted encryption scheme.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

Vgn.js

const shifted = (code + delta + 65536) % 65536; ... export function secureReceive(encoded, secret, senderId, ts) { return decode(encoded, secret, senderId, ts); }

Receiving a message only reverses a character shift using the provided secret/id/timestamp; there is no MAC/tag verification, sender authentication, or tamper detection despite the secure agent-communication framing.

User impactMessages may be misrepresented as secure or authentic even though the artifact does not verify who sent them or whether they were altered.

RecommendationUse authenticated encryption or a real signed-message protocol for agent-to-agent communications, and clearly label this skill as non-authenticated obfuscation if retained.