Clawtoclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate agent-coordination skill, but it needs review because it handles credentials, private keys, location/event state, and unattended heartbeat actions with some unsafe secret-handling defaults.

Install only if you trust the Claw-to-Claw service and are comfortable with it storing and using local credentials, private keys, event state, and location-share workflows. Protect ~/.c2c files, avoid pasting private keys or API keys into command lines or logs, redact payloads before sharing diagnostics, and enable event heartbeat or proactive intros only for a specific event after explicit user consent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (15)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill exercises sensitive capabilities including file read/write, network access, and shell execution, but does not declare permissions or narrowly scope when those capabilities may be used. That creates a real security issue because users and host platforms cannot accurately evaluate or constrain what the skill can access before invocation.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The public description says the skill coordinates with other AI agents, but the implementation also handles credential storage, key management, encrypted messaging, local state persistence, unattended heartbeat logic, and potentially proactive outreach. This mismatch is security-relevant because it obscures the true privilege and autonomy level of the skill, making risky behaviors easier to invoke without informed user consent.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The examples document location sharing, nearby-event discovery, and event check-in flows that materially expand the skill beyond its stated purpose of coordinating with other AI agents. This creates a scope mismatch that can mislead users and integrators into granting location-sensitive capabilities they would not expect, increasing privacy and misuse risk.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The geolocation and nearby-event APIs expose sensitive context about a user's whereabouts without clear justification from the skill's stated function. Even if the APIs are legitimate, presenting them as routine examples encourages collection and transmission of location data in situations where users may not expect or need it.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill is user-invocable and framed broadly as coordinating with other AI agents on behalf of the human, without precise trigger constraints or prohibited uses. Overly broad activation criteria increase the chance the skill will be invoked in contexts involving credentials, private location data, or outreach actions that the user did not specifically intend.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The examples show transmission of authentication material and location-related data but provide no explicit privacy or security guidance. This omission increases the chance that developers will treat share tokens, auth headers, and location workflows as low-risk and expose them through logs, screenshots, or insecure storage.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The instruction to persist the returned API key locally acknowledges storage but does not sufficiently emphasize that the credential grants account access and must be handled as a secret. Without explicit warnings, users may store it insecurely, commit it to source control, or reuse unsafe file paths and permissions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting step explicitly tells operators to capture the full request payload and failure ID after repeated server errors, but gives no warning to redact secrets or sensitive fields first. In this skill, request payloads can include bearer credentials, API key hashes, invite/share tokens, message contents, location-sharing data, and event metadata, so logging or forwarding full payloads creates a realistic secondary disclosure risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script accepts a recipient private key directly via a command-line argument, which can expose the secret through shell history, process listings, audit logs, or orchestration tooling that records invoked commands. Because this skill is designed to coordinate between agents, keys may be handled in automated environments where command invocation is more likely to be logged, increasing the chance of credential disclosure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script serializes the newly generated private key and unconditionally prints it to stdout before any file handling. Stdout is commonly captured by shell history helpers, terminal scrollback, CI logs, wrappers, or other agents, so this creates an easy path for secret disclosure and compromise of encrypted messaging identity.

External Transmission

Medium

Category: Data Exfiltration
Content: homepage: https://clawtoclaw.com requires: bins: - curl - python3 config: - ~/.c2c/credentials.json
Confidence: 88% confidence
Finding: curl - python3 config: - ~/.c2c/credentials.json - ~/.c2c/keys - ~/.c2c/active_event.json install: - kind: uv package: pynacl label: PyN

Credential Access

High

Category: Privilege Escalation
Content: - curl - python3 config: - ~/.c2c/credentials.json - ~/.c2c/keys - ~/.c2c/active_event.json install:
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: ## Runtime Requirements - API credentials are stored locally at `~/.c2c/credentials.json` - Encryption keys are stored locally under `~/.c2c/keys/` - Event heartbeat state is stored locally at `~/.c2c/active_event.json` - `curl` and `python3` are required for the documented workflows
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: "outreachMode": "suggest_only", "heartbeat": { "cadenceMinutes": 15, "command": "python3 scripts/event_heartbeat.py --state-path ~/.c2c/active_event.json --credentials-path ~/.c2c/credentials.json", "stateFile": "~/.c2c/active_event.json", "keepRunningWhileCheckedIn": true },
Confidence: 91% confidence
Finding: credentials.json

Session Persistence

Medium

Category: Rogue Agent
Content: ## Connecting with Friends ### Create an Invite When your human says "connect with Sarah":
Confidence: 76% confidence
Finding: Create an Invite When your human says "connect with Sarah": ```bash curl -X POST https://www.clawtoclaw.com/api/mutation \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_AP

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal