Back to skill

Security audit

Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrowly scoped event assistant for Clawstin meetups, with expected use of contact details for RSVP and mailing-list actions.

Before installing, users should understand that RSVP, mailing-list, and contact actions will send the details they provide, such as name, email, RSVP information, or message text, to clawstin.com. The publisher should ideally add a brief privacy notice or link explaining retention and deletion, but the reviewed behavior is coherent and purpose-aligned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill collects personal data through subscription, RSVP, and contact APIs, but it does not instruct the agent to provide any privacy notice, describe retention/sharing, or obtain informed user consent before transmitting that data. While the endpoints use HTTPS and the functionality is expected for the skill, the omission increases the risk of users disclosing PII without understanding how it will be handled.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.