ClawHub

1Panel Appstore skill

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates 1Panel local app packages, with the main risk being that generated packages may include Docker settings and optional init scripts that users should review before running.

Install this only if you intend to generate 1Panel local app packages. Before installing any generated package in 1Panel, review its docker-compose.yml, data.yml, exposed ports, host mounts, image provenance, secrets, and especially any scripts/init.sh content; test first on a non-production host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational behavior that includes reading references, writing package artifacts, and invoking a local Python generator, yet the metadata only declares a binary requirement and does not declare corresponding permissions. That mismatch weakens review and consent boundaries because a user or platform may not realize the skill can read files, write files, and execute shell/Python-driven actions.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The generator writes spec-provided init_commands directly into a generated init.sh script with no allowlist, sandboxing, or semantic validation. In this skill's context, that means an untrusted or mistaken app spec can cause arbitrary shell execution during app initialization, which exceeds simple package generation and can modify the host or mounted data with the privileges granted to the init hook.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill instructs creation of an intermediate spec under /tmp without clearly warning the user that a local file will be written. While writing to /tmp is common and the path is not inherently dangerous, silent file creation reduces transparency and can surprise users in environments where temporary files may contain sensitive application metadata.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill directs execution of a local script that generates package files and directories, but it does not clearly disclose this file-system-modifying behavior up front. In a packaging skill this is contextually expected, so the danger is limited, but lack of explicit notice can still undermine informed consent and make unintended writes more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The generated init script performs recursive chown/chmod on paths derived from the spec, and although the path validation blocks obvious traversal and absolute paths, the operation can still recursively alter permissions of large mounted directories. Without a prominent user-facing warning or tighter scoping, a bad spec can break application data, weaken file protections, or cause unintended host-side changes inside the package directory tree.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal