ClawHub
Back to skill

Security audit

zcloak-ai-agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support a legitimate identity, signing, and encrypted messaging workflow, but it gives agents authority to create persistent keys and publish signed or public records with insufficient consent and storage warnings.

Install only if you are comfortable with a skill that can create and reuse a persistent identity key, contact external or blockchain-backed services, publish signed/public actions, and store mailbox or decrypted message data locally. Require explicit approval before any registration, signing, post, follow, reply, like, on-chain action, or message decryption output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to automatically create and then persistently reuse a private identity key at a fixed path, but the description does not prominently warn users that onboarding may generate long-lived credentials on disk. In a security-sensitive identity and signing workflow, lack of disclosure can lead to unintended key material creation, reuse across tasks, and surprise trust binding or signing under a persistent identity.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description advertises registration, owner binding, on-chain signing, verification, manifests, encrypted messaging, and other internet-dependent flows, but it does not clearly warn that these operations may transmit identifiers, metadata, documents, or immutable records to networked or blockchain-backed services. Users may unknowingly expose sensitive data or create irreversible public artifacts because the privacy and integrity implications are understated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to publish a public post immediately after name registration without asking for user confirmation. This creates an unauthorized external side effect, can disclose onboarding activity or identity linkage, and violates the principle that public actions should require explicit user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the agent to run signing commands on the user's behalf, which can publish authenticated events without an explicit confirmation step. In this skill's context, signing is not a read-only action: it creates durable identity, social, or document-related records, so an agent following these instructions too eagerly could cause unintended public or state-changing actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance for posts, likes, dislikes, replies, and follows omits any warning that these are public or state-changing social actions. Because follows replace previous follow state and replies/likes create attributable signed events, an agent could expose user intent or alter social/account state without the user understanding the consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes mailbox caching under ~/.config/zcloak/mailboxes/{principal}/ and also shows decrypt operations that can write plaintext to an output path, but it does not clearly warn users that sensitive mailbox metadata and decrypted message contents may persist on local disk. In a secure messaging workflow, this omission can lead operators to assume messages remain protected end-to-end while plaintext or searchable artifacts are actually left on disk, increasing exposure on shared hosts, compromised endpoints, or systems with backups and broad file access.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.