ClawHub

ClawPaw Phone Control

Security checks across malware telemetry and agentic risk

Overview

The skill is review-worthy because it sets up legitimate ClawPaw phone control but also bundles broad, high-impact phone automations and persistent credential/ADB access with incomplete consent and scoping.

Install only if you intentionally want this skill to have broad remote control over an Android phone. Review or remove the nested use-case skills you do not need, especially attendance check-in, messaging, posting, ride booking, camera/location check-ins, and daily notification/location digests. Prefer not to store the ClawPaw secret in plaintext, avoid curl -k, delete temporary screenshots, disable wireless ADB after setup, and require explicit confirmation before any message, post, ride, attendance, camera, microphone, location, or notification-history action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (38)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill claims MCP tools are sufficient and that no API calls are needed, but later instructs use of shell/ADB commands as part of normal operation. This mismatch obscures the true privilege boundary and can cause an agent or reviewer to underestimate that the skill may invoke broader device-control capabilities than advertised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Documenting shell/ADB execution extends the skill beyond bounded MCP-driven phone interaction into general command execution on a connected device. That creates a materially larger attack surface because shell/ADB can alter device settings, launch arbitrary intents, or access functions not covered by the skill's stated controls.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The description presents the skill as operating through ClawPaw MCP tools, but the documented workflow relies on direct shell/ADB operations in routine scenarios. This is dangerous because users and orchestration systems may grant trust based on a narrower capability model than the skill actually uses.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill content clearly implements automated Feishu attendance check-in, while the supplied skill metadata says the skill is for ClawPaw Android setup and troubleshooting. This mismatch is dangerous because it can hide sensitive, high-impact behavior behind an unrelated label, defeating user expectations, review processes, and policy gating.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill remotely launches Feishu, navigates the UI, and submits attendance actions in a third-party app, which is unrelated to device setup. Automating a legally or administratively meaningful action like check-in can enable unauthorized submissions, timekeeping fraud, and misuse of the user's authenticated session.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly describes Feishu check-in behavior, contradicting the declared ClawPaw setup intent. This inconsistency increases risk because operators or automated systems may trust the top-level metadata while the actual instructions carry out unrelated sensitive actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill’s stated purpose is to summarize notifications, but it expands into opening apps and performing follow-on UI actions. That broadens the capability from passive data access to active device control, creating a scope-creep risk where a simple notification query can become arbitrary in-app interaction with sensitive content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Using a shell command to launch arbitrary app packages is more powerful than necessary for generating a notification digest and bypasses tighter task scoping. If triggered in response to ambiguous user requests, it can open sensitive apps and expose or enable actions on private data beyond the original read-only intent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file metadata and body describe a place-registration skill, but the provided skill metadata says this is for Android setup and SSH tunnel verification. This mismatch can cause the agent to invoke the wrong capability and unnecessarily collect or manipulate sensitive location data when the user expected device setup help, creating a significant integrity and privacy risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest and title frame this skill as a price-checking utility, but the documented workflow also supports booking a real Uber ride. That scope expansion is dangerous because a user or orchestrator may invoke the skill expecting read-only behavior, while the skill contains a state-changing action with financial and real-world consequences. The requirement to confirm before booking reduces severity, but it does not eliminate the mismatch between declared and actual capability.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This section instructs the operator to send a user's secret to a remote service in request headers and to decode and save a phone screenshot to `/tmp/phone_screen.png`, then read and display it. That combines credential handling with capture of highly sensitive device content, but provides no privacy notice, minimization, consent check, retention guidance, or cleanup steps.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The MCP configuration stores `CLAWPAW_SECRET` persistently in `~/.claude.json` without warning that this exposes long-lived credentials to local compromise, backups, logs, or accidental sharing. Persisting a reusable secret in plaintext increases the blast radius far beyond the immediate setup session.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation scope is extremely broad—"do something on the phone" covers many sensitive actions such as messaging, screenshots, location access, media capture, and device-state changes. Without clear boundaries or consent requirements, the skill can be triggered for high-risk actions too easily.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill exposes privacy-sensitive capabilities including screenshots, GPS location, camera capture, and audio recording without requiring disclosure, justification, or explicit consent. In this context, the skill is specifically designed to control a real phone, so these capabilities directly enable surveillance and collection of sensitive personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises sending messages and changing device state without warning that such actions may affect user data, communications, settings, or safety. Because the skill can directly operate a phone, these actions can cause unintended disclosures, user impersonation, or disruptive state changes if triggered casually.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly enables wireless ADB on TCP port 5555, which increases device exposure by allowing debugging access over the network once the device is reachable. In a phone-control setup skill, this is especially sensitive because ADB provides powerful control capabilities, and the script does not warn the user about network risk, scope the exposure, or disable wireless ADB afterward.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a sensitive secret in an HTTP header to a remote backend and suppresses TLS certificate verification with curl -k, which weakens transport security and makes interception or machine-in-the-middle attacks more plausible. In this skill context, the credential authorizes remote ADB operations against a phone, so disclosure or misuse could enable unauthorized device control.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script performs an active remote action on the device by issuing a home keypress as a connectivity test, but it does so automatically after connection without explicit operator confirmation. While low severity, this can cause unintended device interaction and demonstrates that the backend can execute control actions on the phone.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to download and install an APK, change the system input method, and delete a file on the device without first requiring explicit user confirmation or warning about those system-level changes. These actions alter device behavior and trust boundaries; activating a new IME is especially sensitive because keyboards can observe all typed content, so silent execution increases the risk of user surprise or unintended compromise.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad enough that an agent could invoke this skill in loosely related contexts such as generic 'fix typing' or first-time setup, causing unnecessary progression toward APK installation and IME modification. In a skill that changes device configuration, overbroad activation increases the chance of unintended execution even if the instructions themselves are operationally legitimate.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill instructs the agent to capture a photo, retrieve precise location/address, and fetch weather to build a check-in card, but it contains no explicit requirement to obtain clear user consent for each privacy-sensitive action or warn that highly sensitive data will be collected and combined. Because the skill bundles image capture with geolocation and contextual enrichment, it increases the risk of collecting and exposing personally sensitive information beyond what a user may expect from a simple 'check in' request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance uses broad, conversational triggers such as 'summarize today', 'how was my day', and 'review my day', plus a contextual condition like 'Evening hours, user is chatting casually'. That can cause the skill to run when the user did not clearly consent to compiling sensitive location and notification history, increasing the risk of unintended exposure of private behavioral data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill is explicitly designed to aggregate highly sensitive location trajectory, dwell-time, and notification data, but it does not warn the user about the privacy implications or require explicit acknowledgment before processing. Because the report reveals routines, places visited, time spent at locations, and app activity patterns, unintended use could expose intimate personal behavior and increase surveillance or profiling risks.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include broad natural language like '帮我打卡' and '飞书签到', which may match ordinary conversation without enough contextual confirmation. Because the skill performs real UI actions in an authenticated app, accidental invocation could cause unintended attendance submissions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill begins remote UI automation that can lead directly to attendance submission without any explicit warning, consent checkpoint, or final confirmation. In this context, the action affects employment records and may have compliance or disciplinary consequences, making silent execution especially risky.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal