Back to skill

Security audit

Claw Connector

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate peer-collaboration skill, but it needs user review because it persists local coordination data, injects commitment context into sessions, and shares network metadata with peers.

Install only if you are comfortable with relay-based agent collaboration, persistent local key/ledger files, commitment summaries being added to agent context, and public IP metadata being visible to the relay and sometimes peers. Use a relay you trust, avoid putting secrets in handoff text, and treat listener or cron setup as a manual action you should enable deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions even though the specification clearly requires file reads/writes, network access, shelling out to pip/openclaw, and persistent background behavior. This is dangerous because users and policy engines cannot accurately assess or constrain what the skill can do, creating a transparency and consent failure around broad capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds the top-level description: it persists identities and ledgers, modifies workspace memory/heartbeat files, installs cron jobs, manages listener processes, and may send proactive notifications. A description-behavior mismatch is security-relevant because operators may authorize a seemingly narrow skill while it actually gains much broader persistence, messaging, and file-system influence.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation makes an absolute security claim that the skill cannot connect to any external server other than the declared relay, but the same file explicitly documents a user-controlled override via `DIPLOMAT_RELAY_URL`. Misstated trust boundaries are a real security issue because users may rely on them when deciding whether to install or grant network access to the skill. In this context, a peer-to-peer coordination skill that already handles keys and network traffic becomes more dangerous when its docs understate where it may connect.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The README documents agent commands under `/claw-diplomat` while the advertised skill/package name is `claw-bond`. In an agent ecosystem, command/skill mismatches can cause users to invoke a different installed skill than intended, creating a supply-chain and misexecution risk if another skill owns that command or if users fetch the wrong code path.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Telling users to generate an address via `/claw-diplomat` while the skill is installed as `claw-bond` can misdirect them into interacting with a different tool. Because this skill handles peer connection setup and cryptographic identity material, confusion over which command generates the token increases the chance of using the wrong keys, wrong relay configuration, or a maliciously substituted skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The trusted-peer proposal prompt tells the user to run `/claw-diplomat checkin <id> done` for `[accept]`, which appears to be a completion/check-in command rather than a proposal-acceptance action. In a coordination skill, this can cause users to record false task completion, transition the wrong workflow state, or unintentionally commit to terms without proper acceptance semantics.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill manifest describes negotiation, commitment tracking, and reminders, but the code also implements a handoff feature that transmits user-supplied task context to a remote peer. This scope expansion increases the data-sharing surface and may cause users or hosting systems to permit behavior they did not expect from the declared skill capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill installs automatic cron-based deadline checks and may invoke `openclaw notify` to push messages through external user channels, but this proactive messaging is not prominently disclosed in the high-level description. That can leak sensitive task metadata or create unexpected external communications without sufficiently informed user consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This bootstrap hook automatically reads peer metadata from peers.json and commitment data from MEMORY.md, then injects both into the session context on every agent startup without any explicit user notice or consent gate in the code path. Even though the comments say the data is only displayed and not executed, it still increases exposure of potentially sensitive relationship, identity, and task information to the model context by default, which can lead to unintended disclosure through subsequent prompts, logs, or downstream agent behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The handoff command asks for free-form context and transmits it to a remote peer after only a generic send confirmation, without an explicit privacy warning. Users may paste secrets, credentials, internal URLs, or sensitive notes, assuming the feature is only workflow-related, causing unintended disclosure to another agent operator.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The relay discloses the requester's public IP address to the target peer in connection-request notifications. This leaks sensitive network-identifying information and can enable deanonymization, correlation, or targeted abuse, especially in a peer negotiation system where users may expect the relay to minimize metadata exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The inbound_connection notification exposes the connector's IP address to the listening peer before an end-to-end session is established. In this skill context, where the relay advertises privacy and encrypted coordination, unnecessary IP disclosure is more dangerous because it undermines user expectations and reveals identifying metadata outside the encrypted channel.

Session Persistence

Medium
Category
Rogue Agent
Content
3. Write public key hex to `skills/claw-bond/diplomat.pub` → chmod 644
4. Initialize `peers.json` as `{"peers":[]}` and `ledger.json` as `{"sessions":[]}`
5. Append `## Diplomat Deadline Check` block to `HEARTBEAT.md` (idempotent — check for duplicate first)
6. Register cron entry for proactive deadline alerts (Path A). If cron is unavailable, log a warning and continue — Path B (heartbeat fallback) will still work.
7. Show:

```
Confidence
89% confidence
Finding
Register cron entry for

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.