Back to skill

Security audit

Skill Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a defensive skill scanner whose file reads, network fetching, and optional workflow hooks are disclosed and fit its purpose.

Reasonable to install as a defensive helper, but treat results as advisory rather than a guarantee. Only add the AGENTS.md policy or pre-commit hook if you want those ongoing workflow controls, and prefer scanning trusted ClawHub or local sources because malformed or oversized remote archives could still create operational risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code downloads a ZIP from a remote URL and extracts it to disk automatically, with no integrity verification, no path sanitization checks, and no explicit user confirmation about the network fetch and filesystem write. In a security scanner context, this is risky because scanning an untrusted skill should not itself perform unsafe archive extraction, and a crafted ZIP could abuse extraction behavior or cause unexpected local writes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.