ClawHub

Document Manager

Security checks across malware telemetry and agentic risk

Overview

The skill is a document manager, but it writes user content into a directory advertised as reachable through a hard-coded public HTTP URL without clear access-control or consent safeguards.

Install only if you intentionally want generated documents written under /home/node/clawd/docs and made reachable through the configured HTTP server. Do not use it for confidential, customer, credential, legal, financial, or unreleased content unless you control the server and have verified authentication, deletion, and access restrictions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly describes reading and writing files under /home/node/clawd/docs and updating indexes, but it declares no permissions. This creates a capability/transparency gap: a caller may invoke the skill without realizing it can modify persistent filesystem state, increasing the risk of unauthorized document creation, overwrites, or data exposure through the published document tree.

Missing User Warnings

High
Confidence
93% confidence
Finding
The README advertises direct URL access and includes a public IP-based base URL, but does not warn that generated documents become network-accessible. In the context of a document-generation skill, this increases the risk that users or upstream agents store sensitive reports, analyses, or internal content and unintentionally publish them over HTTP.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is broadly framed to handle professional documents, reports, analyses, guides, and 'any content' needing storage and URL access. Overly broad invocation language can cause the agent to select this skill in contexts the user did not intend, leading to unnecessary persistence of sensitive content and automatic publication via URL.

Vague Triggers

Low
Confidence
84% confidence
Finding
The skill describes update and archive operations as available actions without strong confirmation or authorization boundaries. In practice, that can enable destructive or confusing state changes—such as moving documents, creating new versions, or removing entries from INDEX.md—based on ambiguous requests or unintended invocation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill advertises direct HTTP URLs to content under a public IP and states that all documents are accessible via that pattern, but it does not warn users that stored content may be publicly reachable. This is dangerous because users may provide confidential reports, analyses, or internal documents assuming normal storage, when the skill is effectively publishing them to an externally accessible endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow says the skill will create folders, write metadata and content files, generate tracking JSON, and update INDEX.md, but it does not clearly warn the user that invoking it causes persistent filesystem modifications. Hidden side effects on storage and indexing increase the chance of accidental writes, clutter, leakage into searchable indexes, and unintended retention of sensitive material.

VirusTotal

No VirusTotal findings

View on VirusTotal