ClawHeart Security

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a coherent ClawHeart security-audit helper, but it exposes broad local inspection and credential-configuration commands with loose trigger language and limited confirmation guidance.

Install only if you intentionally want an agent to drive ClawHeart on your machine. Before use, confirm each scan or inventory command, avoid provider add/import/overwrite and init --reset unless you explicitly requested that change, and review the external ClawHeart CLI installer before running the suggested curl or PowerShell install commands.

SkillSpector (4)

By NVIDIA

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The skill advertises provider subcommands including add/import/overwrite, which expands from passive audit/governance into active credential and configuration modification. In an agent skill, exposing mutating security-sensitive commands increases the chance of unintended or socially engineered changes to provider settings or secrets.

Context-Inappropriate Capability

Low

Confidence: 72% confidence
Finding: Documenting `clawheart init [--reset]` broadens the skill from inspection into environment-changing setup/reset actions. Even if not automatically invoked, including reset-capable functionality in the skill increases the risk of an agent steering users into disruptive or destructive state changes.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The description says the skill should be called for vague intents like 'scan AI security or similar,' which creates an overly broad activation boundary. Ambiguous triggers can cause an agent to invoke local security tooling unexpectedly, exposing local inventory or system posture when the user did not clearly request that action.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The command mapping uses broad everyday-language phrases to trigger powerful local CLI actions, including scans, agent enumeration, and provider inspection. In skill systems, loose intent mapping increases the risk of over-triggering and collecting sensitive local information beyond the user's precise intent.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal