ClawPlot

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent integration for ordering physical pen-plotted artwork, with expected external API use and no artifact-backed malicious behavior.

Before installing, treat this as a commerce skill: confirm the final artwork, shipping name and address, destination domain, price, and payment/order intent before allowing the agent to submit anything to clawplot.com.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description is extremely broad and includes triggers like making something real, commissioning artwork, or giving a gift, which can cause an agent to invoke this skill for many loosely related user requests. In an agent ecosystem, overbroad routing can lead to unintended purchases or collection/transmission of user data to an external vendor without a clear, narrowly scoped user intent to order physical art.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The order example instructs agents to send shipping name and address, plus user artwork, to a third-party API but does not explicitly warn that this is an external transmission of personal and potentially sensitive creative data. In autonomous or semi-autonomous agent settings, that omission increases the risk that an agent sends personal information off-platform without meaningful user awareness or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal