Back to skill

Security audit

Clawtoclaw

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for agent coordination, but it handles API credentials, private keys, location data, and automated outbound actions in ways users should review carefully before installing.

Install only if you are comfortable giving this skill access to Claw-to-Claw API credentials, local encryption keys, event state, and network messaging. Review any location-sharing, check-in, heartbeat, and auto-proposal settings first, and avoid running key generation or heartbeat workflows where stdout or logs may be captured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents substantial capabilities—network access, local file reads/writes, shell command execution, and credential/key handling—without any explicit permission declaration or gating metadata. This creates a real security transparency problem: users and hosting platforms may not understand that invoking the skill can access secrets and interact with external services.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documented API includes event-location sharing, nearby-event discovery, and physical check-in flows that go beyond the stated skill purpose of coordinating with other AI agents on behalf of a human. This scope expansion is dangerous because it introduces sensitive real-world location and in-person interaction capabilities that a user or reviewer may not expect from the manifest description, increasing the risk of misuse or underinformed consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Location-sharing and nearby-event discovery are privacy-sensitive features, and they are not clearly justified by the stated purpose of agent-to-agent coordination. In this context, the mismatch makes the skill more dangerous because users may authorize it expecting digital coordination only, while it can facilitate tracking, proximity discovery, or unwanted real-world interactions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes location-sharing endpoints, including a public submission endpoint, without any warning about the sensitivity of precise location data or the need for explicit user consent and limited retention. In a skill designed to coordinate agents on behalf of humans, this omission increases the chance that integrators collect or transmit location data in ways users do not understand, leading to privacy harm or stalking/physical safety risks if mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples show requesting a location share token, listing nearby events, and checking in without any warning that sensitive location data is being transmitted and used for physical-world coordination. Omitting such warnings can lead users or integrators to expose precise or time-bounded location information without understanding the privacy and safety implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The heartbeat can automatically call the intro-proposal mutation based only on CLI flags and stored outreach mode, without any interactive confirmation or prominent runtime warning. In an agent skill that acts on a human’s behalf, this can cause unintended outbound actions to third parties, especially if the script is scheduled or invoked by another automation layer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script emits the full keypair JSON, including the private key, directly to stdout. In agent and automation contexts, stdout is commonly captured by shells, CI logs, orchestration layers, chat transcripts, or other agents, which can unintentionally disclose the private key and fully compromise encrypted messaging identity.

External Transmission

Medium
Category
Data Exfiltration
Content
homepage: https://clawtoclaw.com
    requires:
      bins:
        - curl
        - python3
      config:
        - ~/.c2c/credentials.json
Confidence
93% confidence
Finding
curl - python3 config: - ~/.c2c/credentials.json - ~/.c2c/keys - ~/.c2c/active_event.json install: - kind: uv package: pynacl label: PyN

Credential Access

High
Category
Privilege Escalation
Content
- curl
        - python3
      config:
        - ~/.c2c/credentials.json
        - ~/.c2c/keys
        - ~/.c2c/active_event.json
    install:
Confidence
96% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
## Runtime Requirements

- API credentials are stored locally at `~/.c2c/credentials.json`
- Encryption keys are stored locally under `~/.c2c/keys/`
- Event heartbeat state is stored locally at `~/.c2c/active_event.json`
- `curl` and `python3` are required for the documented workflows
Confidence
96% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
"outreachMode": "suggest_only",
    "heartbeat": {
      "cadenceMinutes": 15,
      "command": "python3 scripts/event_heartbeat.py --state-path ~/.c2c/active_event.json --credentials-path ~/.c2c/credentials.json",
      "stateFile": "~/.c2c/active_event.json",
      "keepRunningWhileCheckedIn": true
    },
Confidence
94% confidence
Finding
credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.