ClawHub

Sovereign Identity

Security checks across malware telemetry and agentic risk

Overview

This looks like a local identity-signing skill, but it gives the agent authority to create signed business mandates with weak approval boundaries and incomplete reviewed signing inputs.

Review before installing. Use this only if you want an agent to hold a persistent local signing identity. Require explicit approval for every mandate, inspect or supply the missing mandate payload yourself, protect CLAW_PASSWORD and .env.agent like signing credentials, and do not rely on verify_did.ts as full DID or trust-chain verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file and messaging imply decentralized identifier verification, but the implementation only verifies a JWS using a locally supplied public JWK and local JSON files. This can mislead users or downstream automation into believing DID resolution, document validation, key binding, and trust-chain checks occurred when they did not, creating a security gap where untrusted or incorrectly bound keys are accepted.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The decision matrix relies on broad keyword matching such as "sign," "buy," "access," and "view," which can easily misclassify ordinary prompts and cause the agent to select the wrong identity persona or proof mechanism. In this skill, a wrong routing decision could result in unnecessary disclosure of a Corporate DID or signed mandate in low-trust contexts, or failure to apply the intended privacy-preserving pairwise identity model.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly instructs users to run onboarding that saves identity keys to `.env.agent`, but it does not clearly describe that this file contains highly sensitive long-lived secret material or provide handling guidance beyond saying it is gitignored. Persisting private keys in dotenv-style files increases the chance of accidental exposure through local tooling, logs, backups, misconfigured ignore rules, or agent access to the workspace.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The decision matrix relies on overly broad keywords like 'sign' and 'access' to choose an identity persona and protocol, which can be triggered by benign or adversarial phrasing. In this skill, incorrect routing is dangerous because it may cause the agent to present a Corporate DID or attach a signed mandate in the wrong context, leading to over-disclosure, unauthorized authorization, or identity correlation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal