Become Ceo

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Discord AI-team setup that needs bot/API credentials and a persistent gateway, but the reviewed files do not show hidden, destructive, or exfiltrating behavior.

Install only if you trust the external `clawdbot` package and want a long-running Discord bot gateway. Use dedicated low-permission Discord bot tokens, keep `~/.clawdbot/clawdbot.json` private, avoid committing keys or tokens, and review memory files because they persist across restarts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This markdown file applies to SQP-2, and L17 explicitly tells the user to fill in an LLM API key and Discord bot tokens. The document provides setup steps but does not warn that these are sensitive credentials that should be protected, not committed to version control, and handled carefully.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The natural-language setting "Language: English" imposes a specific language requirement in the user profile without offering opt-in, alternatives, or a documented reason. This matches the policy category for language or locale constraints that are forced on the user.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal