ClawHub

GEO Content Guard

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed content-scanning skill, with privacy considerations when scanning local files or using its optional AI review.

Install this if you want a scanner for web pages, selected local files, or pasted text. Avoid scanning sensitive private material unless you are comfortable with saved reports containing paths, metadata, and evidence snippets. Use --with-ai only when sending excerpts to the configured AI endpoint is acceptable, and verify ZENMUX_ANTHROPIC_BASE_URL in managed environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'request' from os.environ.get (line 299, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(request, timeout=45) as response:
            parsed = json.loads(response.read().decode("utf-8"))
        raw_content = "".join(part.get("text", "") for part in parsed.get("content", []) if isinstance(part, dict))
        review = json.loads(_extract_json_object(raw_content))
Confidence
88% confidence
Finding
with urllib.request.urlopen(request, timeout=45) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable commands that read local files, fetch URLs, write reports, and likely use environment-based configuration, but the manifest does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: operators may approve the skill assuming minimal scope while it can access broader resources than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as analyzing external web content, but the described behavior extends to arbitrary local files, raw text, persistent report writing, and optional transmission of analyzed content to an external AI API. That mismatch is dangerous because users may provide sensitive local content or enable AI review without realizing data can be stored or sent off-box, creating confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The AI review path transmits the target title, source, domain, static analysis, and a large excerpt of the fetched or loaded content to an external API. Because this skill audits arbitrary external content and local files, that payload may contain proprietary, sensitive, or regulated data, and there is no in-code consent gate, redaction step, or disclosure mechanism before export. In this skill context, that makes the issue more significant because the input surface explicitly includes fetched webpages and local file content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal