ClawHub

skill-feedback-collector

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real feedback tool, but it exposes an unauthenticated network control panel by default that can read saved feedback and send instructions to the agent.

Review before installing. Use it only on a trusted machine or tightly firewalled network, do not expose port 18061 publicly, avoid sending secrets through feedback, and treat queued tasks as instructions the agent will execute. If you rely on FEEDBACK_TOKEN, test the browser flow carefully because the client appears not to forward the token to API or WebSocket calls; also review or delete feedback-history.json regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The tool is presented as a human-in-the-loop confirmation mechanism, but when the queue is non-empty it returns a queued task immediately without any live human approval. That breaks the security and safety boundary users or upstream agents may rely on, allowing autonomous continuation in contexts where explicit human gating was expected.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill markets itself as a feedback collector that pauses for human input, yet it also contains automatic task queue behavior that can advance work without live review. This mismatch can mislead operators and dependent agents into trusting a human-approval control that is not consistently enforced.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation guidance is very broad: it says to use the skill when completing tasks, when uncertain, before destructive changes, when the user prefers confirmation, and for batch execution. This can cause the skill to trigger across many normal workflows, exposing task details to a browser-accessible feedback service and creating unnecessary human-in-the-loop pauses; in environments where the UI is reachable over the network, that broad routing increases the chance that sensitive work summaries are surfaced through an auxiliary channel.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Human and AI feedback history is persisted to feedback-history.json without any disclosure or consent flow in this file. That creates privacy and data handling risk because sensitive prompts, confirmations, or task contents may be stored on disk unexpectedly and later exposed to other local users, backups, or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The server binds to 0.0.0.0 and authentication is optional because an empty FEEDBACK_TOKEN permits unrestricted access. In that configuration, anyone with network reachability can read status/history or submit feedback and queue actions, undermining integrity and confidentiality of the human-in-the-loop workflow.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The service accepts feedback and queue-management data over HTTP and WebSocket, with permissive CORS, but provides no disclosure that user inputs are transmitted over the network. In deployments without TLS or with weak auth, sensitive human responses and operational commands may be intercepted or submitted by unintended parties.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal