Back to skill

Security audit

ClawSend

Security checks across malware telemetry and agentic risk

Overview

ClawSend is a coherent agent messaging skill, but its relay access controls and message callback feature create review-worthy security risk.

Install only if you are comfortable with a public-relay messaging tool that creates a persistent local identity, stores message contents locally, and may expose relay-side messages or metadata if the hosted relay uses this server code. Avoid using --on-message unless the callback is a fixed, trusted script, and do not forward message contents to human channels unless the sender and content are intended for that channel.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (42)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    try:
        message_json = json.dumps(message, ensure_ascii=False)
        result = subprocess.run(
            command,
            shell=True,
            input=message_json,
Confidence
98% confidence
Finding
result = subprocess.run( command, shell=True, input=message_json, text=True, capture_output=True, timeout=30, # 30 seco

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes substantial capabilities including shell execution, file read/write, network access, and environment interaction, but does not declare permissions or prominently warn users. That creates a transparency and consent failure: an agent or operator may invoke it expecting simple messaging while the skill can also create keys, persist data, contact external infrastructure, and execute callbacks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose suggests a bounded messaging utility, but the documented behavior expands into identity lifecycle management, persistent storage, relay administration, discovery, log retrieval, and arbitrary command execution on message receipt. This mismatch can mislead agents and users into granting trust or invoking the skill in contexts where they would not knowingly permit those broader actions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The `--on-message` feature instructs agents to execute an arbitrary shell command when a message arrives, with message content passed via stdin. In a messaging skill, this creates a risky automation boundary where untrusted remote input can trigger local code paths, greatly increasing the chance of command misuse, unsafe handlers, or downstream injection vulnerabilities.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation recommends forwarding received messages to external human communication channels such as WhatsApp or Telegram, which exceeds the core relay purpose and can exfiltrate message contents beyond the original trust boundary. Without strict consent and privacy controls, sensitive inter-agent data may be disclosed to third-party services or incorrect recipients.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is intended to view logs, but it unconditionally calls ensure_ready(), which may create a vault and register the agent with the relay as a side effect before any read-only action is performed. A log-inspection command should not mutate state or initiate network registration, because merely viewing logs can unexpectedly create identities, contact external infrastructure, or alter local/server state in environments where passive inspection is expected.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The --on-message feature allows automatic execution of an arbitrary command whenever a message arrives. This creates a direct bridge from network-triggered events to local code execution, which is risky in an agent-to-agent messaging context where incoming messages may be attacker-controlled or spoofed if verification is bypassed or sender trust is weak. The danger is amplified in polling mode because execution can happen continuously and unattended.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using shell=True means the callback string is interpreted by the system shell rather than executed as a direct program invocation. This expands the attack surface to shell metacharacters, environment behavior, and chaining/redirection semantics, making the callback mechanism substantially more dangerous than simple message handling. In an automation skill, this can turn a convenience hook into a remote-triggered execution primitive.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The `/receive/<vault_id>` and `/unread/<vault_id>` endpoints allow any unauthenticated caller to retrieve queued messages or mailbox metadata for arbitrary vault IDs. In a messaging relay, this breaks confidentiality and enables mailbox enumeration, letting attackers read stored conversation data or probe who is receiving traffic.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The server exposes public discovery and observability capabilities (`/agents`, `/resolve/<alias>`, conversation logs, and per-agent logs) that go beyond a minimal relay and disclose identity, key, and communication metadata. While not all of this is secret by design, unauthenticated broad access increases reconnaissance value and privacy risk for all registered agents.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`/messages/<conversation_id>/log` and `/logs/<vault_id>` expose conversation participants, timing, message counts, and delivery/acknowledgment status without any authentication. This leaks sensitive communication graphs and operational metadata, and can support profiling, surveillance, or targeting even if payloads are encrypted.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The public agent directory and alias resolution endpoints provide broad enumeration of registered agents and expose their aliases and public keys. Public keys may be intended for discovery, but unrestricted bulk listing materially lowers the cost of reconnaissance, targeting, and spam against relay users.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger guidance uses broad everyday phrasing like 'message', 'tell', 'contact', and 'reach out to', which can cause over-invocation of this skill in ordinary conversations. In this context, accidental activation is meaningful because the skill can perform network actions, identity registration, and data transmission to a public relay.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that it will automatically create an identity and register with a public relay on first use, but it does not present this as a high-sensitivity action requiring informed consent. Generating persistent cryptographic identity material and transmitting registration data to an external service changes the user's security posture and should not happen silently.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Forwarding messages to human communication channels is documented without a clear privacy warning or consent model. Because messages may contain sensitive agent-to-agent data, sending them to third-party messaging platforms can leak confidential information and create compliance or data-handling risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code automatically creates a local identity vault and performs network registration with the default production relay on first use, without explicit user consent or an interactive approval step. In an agent skill context, this can cause unintended external communication, persistent identity creation, and metadata disclosure to a third-party service simply by invoking the feature, which violates least surprise and can be unsafe in restricted or high-trust environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The vault persists full message contents and quarantined messages to disk automatically, but this code provides no consent, disclosure, retention control, or redaction. In a messaging skill handling potentially sensitive agent-to-agent traffic, silent local storage increases privacy and data-exposure risk if the host is multi-user, backed up, compromised, or inspected later.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script treats relay-received message content as displayable and storable data without sanitization or an explicit trust boundary. In an agent-to-agent messaging context, this is risky because untrusted payloads may contain terminal control sequences, misleading content, or sensitive data that gets persisted locally and echoed to operators, increasing the chance of log/terminal injection and unsafe downstream handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code performs stateful first-run actions automatically: it creates a persistent identity vault locally and contacts a hard-coded production relay to register the identity, all without explicit user consent. In an agent skill context, that creates an unexpected network side effect and persistent credential material, which can violate user expectations, leak metadata to an external service, and make downstream behavior harder to audit or contain.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The vault persists full message contents to local disk in the history directory, which can expose sensitive communications if the host is compromised, backups are accessible, or filesystem permissions are too broad. In this skill's context, the component handles agent-to-agent messaging with cryptographic protections in transit, so storing plaintext message bodies at rest materially weakens the overall confidentiality model.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Quarantined messages are also written to disk with their full contents, which may include malicious, sensitive, or unexpected payloads that the user assumed were merely isolated, not durably stored. Because quarantine is specifically for unknown senders, this increases exposure to untrusted content and can leak confidential data or preserve attacker-controlled material unnecessarily.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The --on-message option exposes dangerous command-execution behavior without a strong warning proportional to the risk. In a messaging receiver, users may treat this as a routine automation flag, but it effectively authorizes local command execution in response to external events. That makes poor disclosure a meaningful security issue because it increases the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The message retrieval endpoint does more than omit a warning: it directly exposes stored messages to unauthenticated callers for any vault ID. The dangerous condition is the missing access control itself, and the optional `debug` mode amplifies exposure by revealing message counts, recent message metadata, and similar recipient IDs.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The unread-count endpoint leaks mailbox existence and activity metadata for arbitrary vault IDs without authentication. Attackers can use it to enumerate active recipients, monitor communication cadence, or correlate user activity over time.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The conversation log endpoint reveals message history metadata, including participants, timestamps, message types, and delivery status, to any caller with a conversation ID. In an agent-to-agent messaging system, this metadata is sensitive because it exposes relationships and operational timelines even without payload access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.