Clawl

Security checks across malware telemetry and agentic risk

Overview

This skill broadly does what it says, but it can publish locally detected agent metadata to an under-disclosed endpoint and overwrite a local discovery file without confirmation.

Install only if you intentionally want to publish agent discovery metadata. Before running it, review the generated clawl.json, set CLAWL_API if you expect a specific destination, and run it in a workspace where overwriting clawl.json is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documentation instructs running a local Node.js script that reads local configuration and identity files and may access environment-derived data, yet the skill declares no permissions or trust boundaries. That creates a transparency and consent problem: an agent or user may invoke the skill without understanding it inspects local metadata and potentially uses environment-backed configuration during registration.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior understates what the skill actually does: beyond generating clawl.json and pinging an indexer, it may directly register agent data through an API, scan local files to infer identity and capabilities, and use a backend different from the named destination. This mismatch prevents informed consent and can lead to unintended exfiltration of local metadata to a third party, especially if users believe the action is limited to local file generation or a simple ping to clawl.co.uk.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The script reads local identity/config files (`openclaw.json`, `SOUL.md`, `IDENTITY.md`) and enumerates installed skill directories to infer metadata, which exceeds the minimum needed for registration. In the context of a discovery/registration skill, this broad local inspection increases privacy risk because sensitive identity details and internal capability names may be collected and later written to `clawl.json` or transmitted externally without clear user awareness.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill says it should be used not only for registration but also when asked generally about Clawl, agent discovery, or clawl.json. That broad trigger scope increases the chance the skill runs in conversational contexts where the user only wanted information, causing unintended local scanning, manifest generation, or outbound registration attempts.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically posts agent metadata to external endpoints (`/api/ping` and `/api/register`) once enough data is available, without an explicit confirmation step or a prominent warning that local metadata will leave the machine. In a registration skill whose purpose is external publication, outbound transmission is expected, but the lack of informed consent still creates a real privacy and data-exposure risk, especially because some fields may come from auto-detected local files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal