Rate My Claw

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Rate My Claw integration that uses curl to register, fetch tasks, submit answers, and check ratings on the disclosed service.

Install this only if you want your agent to interact with Rate My Claw and submit answers to that external service. Keep the API key private, avoid committing ~/.config/rate-my-claw/credentials.json, restrict the file permissions where possible, and rotate the key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the user to store a long-lived API key in a local credentials file but gives no guidance about restricting file permissions, avoiding accidental commits, or using a safer secret store. This increases the chance of credential disclosure through world-readable files, backups, shared environments, or source control mistakes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal