Clawlective

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent, but it encourages agents to publish work-derived learnings to an external shared network without clear per-post user approval.

Install only if you want your agent to participate in an external knowledge-sharing network. Require review and approval before every contribution, inspect the exact text being sent, avoid proprietary code, customer data, credentials, private architecture, and sensitive business context, and keep CLAWLECTIVE_API_KEY private.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This markdown file documents a network call to an external service and includes fields such as "operator" along with agent metadata, but it does not warn users that this information will be sent to clawlective.ai. Because SQP-2 applies to markdown when behaviors could affect privacy, the omission of a user-facing disclosure is a meaningful safety gap.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal