Back to skill

Security audit

IronClaw AI

Security checks across malware telemetry and agentic risk

Overview

This skill is a productivity tracker, but it broadly turns ordinary planning language into external API commands and includes scheduled background notifications.

Review before installing. This is not malware from the artifacts, but it is high-friction from a privacy and control standpoint: it can automatically log broad personal activity to an external service and run scheduled notification checks. Install only if you trust the configured IronClaw service, want this level of automatic tracking, and are comfortable with sleep, schedule, task, and coaching data being stored there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises itself as routing to a limited set of slash commands, but later adds extra network behaviors for health checks, notifications, and coaching endpoints. This creates a capability mismatch that can mislead users and reviewers about what outbound actions the skill may perform, reducing informed consent and increasing the chance of unnoticed data flow.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill includes scheduled automations that send periodic notifications and briefings, even though it is presented primarily as a command router. Unsolicited scheduled execution expands the trust boundary from user-initiated actions to background monitoring, which can surprise users and generate messages or network traffic without a direct prompt.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill description and positioning are broad enough to cover nearly any mission, habit, goal, coaching, or daily-life activity, which makes accidental activation much more likely. Because the instructions require immediate API calls, benign conversational text can be transformed into externally transmitted commands without clear confirmation.

Vague Triggers

High
Confidence
98% confidence
Finding
The routing logic says to trigger when the user is merely 'about to do something' or commits to any time-bound activity. That is overly permissive for a tool that immediately posts commands to an external service, creating a strong risk of false positives and unintended logging of ordinary conversation.

Vague Triggers

High
Confidence
98% confidence
Finding
The rule to trigger on future-time statements about 'anything else' removes meaningful constraints on what should be sent to the backend. In context, this makes the skill prone to over-collection and accidental command execution from ordinary planning or casual chat, which is especially risky because the service is the system of record.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill does not clearly warn users that their natural-language inputs may be converted into commands and sent to an external endpoint. Without a prominent disclosure, users may share sensitive schedule, health, productivity, or personal activity data without realizing it leaves the local interaction context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The automations deliver periodic discipline checks, briefings, and debriefs without a clear warning in the main skill description that users will receive scheduled push-style messages. This can lead to unexpected monitoring behavior and background disclosures of personal productivity or wellness information.

Natural-Language Policy Violations

High
Confidence
90% confidence
Finding
The skill declares support for English and Indonesian, but the instructions force all responses to Bahasa Indonesia without checking user preference. This is primarily a trust, usability, and consent issue: users may misunderstand what actions were taken or what data was returned, which is more problematic when external commands are being executed automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.