Oraclaw Cmaes

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only optimizer skill with a disclosed OraClaw API key requirement and pricing; the main risk is sending optimization inputs to an external service.

Install only if you trust OraClaw, are comfortable providing an ORACLAW_API_KEY, and understand the disclosed $0.10 per optimization pricing after any free tier. Avoid sending sensitive financial, regulated, proprietary, or personal optimization inputs unless you have reviewed the provider's data-handling terms and have approval to use an external service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill declares a required API key and external homepage/pricing metadata, indicating dependence on an external service, but it does not explicitly warn that user-supplied optimization parameters or objective-related data may be transmitted off-platform. In agent settings, this omission can lead to unintentional disclosure of sensitive model parameters, financial inputs, or calibration data to a third party without informed user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal