ClawHub

Architecture Governance & Assessment

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Tencent Cloud Smart Advisor integration, but it bundles high-impact IAM/login capabilities and includes unrelated publishing guidance that appears to help bypass ClawHub anti-spam controls.

Install only if you intend to give the skill Tencent Cloud credential access and are comfortable with optional CAM role creation, broad policy attachment, and passwordless console-login link generation. Prefer short-lived or least-privilege credentials, avoid storing AK/SK permanently in shell profiles, review any role or policy before approving it, and treat the bundled ClawHub publishing guide as a red flag unrelated to normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (41)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as an architecture assessment tool, but it also performs privileged IAM lifecycle actions, credential validation, local config manipulation, cleanup operations, and passwordless console-login generation. That scope expansion is dangerous because users may consent to assessment functionality without realizing the skill can modify cloud IAM state and facilitate console access.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The guide explicitly recommends token rotation and paced bulk publishing to get around anti-spam controls put in place after a supply-chain attack. For an architecture-governance skill, this is unrelated to its stated purpose and materially assists users in evading platform trust and abuse protections.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Advising users to modify README files, examples, and metadata to create apparent differences between skills is an evasion tactic aimed at defeating similarity/template-spam detection. This is dangerous because it helps disguise mass-produced submissions and undermines a control specifically intended to prevent malicious or low-trust package distribution.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The README documents capabilities that materially exceed the stated purpose of architecture governance and assessment, including passwordless console login, role creation/setup, cleanup, and environment inspection. Expanding a read-oriented assessment skill into account-access and configuration-changing operations increases the attack surface and creates a mismatch that can mislead users and calling agents about the skill's real authority.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Generating passwordless console login links is a high-impact account-access capability that is not justified by a governance-assessment use case. In an agent setting, this can turn a reporting tool into a privilege-bearing access broker, enabling unintended console access flows or social engineering around trusted links.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Role creation/setup and cleanup are administrative capabilities that go beyond assessment and can modify cloud identity or local/cloud configuration. Bundling them into an assessment skill weakens least-privilege boundaries and makes accidental or unauthorized destructive or privilege-altering actions more plausible.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security note claims keys are not transmitted over the network, but authenticated Tencent Cloud API requests necessarily use those credentials or derived signatures in remote requests. This is a misleading security statement that can cause operators to underestimate credential exposure and trust the tool under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented capability set includes role creation/deletion and generation of passwordless console links, which materially exceeds a normal 'assessment' tool's expected behavior. This mismatch increases the chance of unsafe operator approval and weakens informed consent around sensitive identity and console-access actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs users to persist long-lived cloud secrets into shell profile files such as ~/.bashrc and ~/.zshrc. Persisting AK/SK in startup files increases exposure through local compromise, accidental disclosure, backups, terminal history/workstation sharing, and long-term credential reuse far beyond the assessment task's needs.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document claims the role setup is read-only and harmless, but elsewhere it describes attachment of broader full-access policies including tag write permissions. Misrepresenting effective privilege is dangerous because users may approve an operation under false assumptions, leading to over-privileged roles and avoidable IAM risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file content materially does not match the declared skill purpose: it is Tencent Cloud API signing documentation and sample request construction code, not architecture governance or assessment logic. This mismatch is dangerous because it expands the skill's effective capability surface toward credential use and cloud API interaction, making review, least-privilege scoping, and user trust assumptions inaccurate.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The examples instruct reading SecretId and SecretKey from environment variables inside a skill whose stated purpose does not require credential access. In this context, exposing credential-handling patterns is risky because it normalizes access to sensitive secrets and could be repurposed by surrounding agent logic to sign real cloud requests.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The document explicitly states that replacing the sample credentials and timestamp can produce a working URL for actual API calls, and several snippets show how to construct callable requests. For an architecture-assessment skill, this creates unnecessary execution-adjacent cloud access capability, increasing the chance of unauthorized actions or unintended billable operations if integrated into an agent workflow.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module-level documentation claims the script is read-only and does not modify configuration, but later code writes ~/.tencent-cloudq/config.json when an existing role is found. This kind of deceptive or inaccurate behavior can mislead users and reviewers about side effects, reducing informed consent and trust in security-sensitive setup code.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file is a destructive cleanup utility that deletes local configuration, generates shell cleanup scripts for credential-related environment variables, and can remove a cloud CAM role. That behavior is materially outside the stated purpose of an architecture governance assessment skill, so users invoking the skill for assessment may be exposed to unexpected state-changing operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code handles Tencent Cloud credential-related environment variables and supports deletion of a cloud IAM-equivalent CAM role, which is unjustified for a best-practices assessment tool. In this context, secret handling plus identity deletion creates unnecessary destructive capability and increases the blast radius if the skill is misused or triggered unexpectedly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script performs privileged IAM write actions by creating a CAM role and attaching broad policies, even though the skill is described as an architecture governance and assessment tool. That is a dangerous scope mismatch: users expecting read-only assessment behavior could instead be induced to grant persistent access and modify account permissions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script reads cloud credentials from environment variables and uses them to make privileged CAM API calls. While reading env vars is common, in this context it enables unexpected account modification by an assessment/reporting skill, increasing the chance of credential misuse or unauthorized privilege changes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The role creation flow explicitly enables console login and then attaches QcloudTAGFullAccess and QcloudAdvisorFullAccess, creating a persistent privileged identity. For an assessment tool, provisioning a login-capable role with broad permissions is unnecessary and materially increases the attack surface if the role is abused or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script introduces cloud authentication and console login-link generation capabilities that are not aligned with the declared purpose of architecture governance assessment and reporting. This capability materially expands the skill's privilege and abuse surface by handling long-lived credentials, assuming roles, and producing direct console access links.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Generating Tencent Cloud SSO-style console login URLs enables interactive cloud-console access using temporary credentials, which is unrelated to governance assessment and can be abused for unauthorized console access if invoked in broader agent workflows. In the context of a supposedly assessment-only skill, this hidden operational capability is especially concerning because it grants access rather than merely analyzing architecture.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill's stated purpose is architecture governance assessment, but this script can create IAM/CAM roles and attach policies, materially changing the user's cloud security posture. In the context of an assessment tool, privilege-modifying behavior is unexpected and dangerous because users may grant broad access under the guise of read-only advisory setup.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script reads long-lived cloud API credentials from environment variables to drive setup actions that exceed pure architecture assessment. In this skill context, collecting credentials is more sensitive because the tool is advertised as an evaluator/report generator, not as an administrative provisioning utility.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This code path uses the obtained credentials to create a role and attach policies, which is an administrative action not justified by the declared assessment purpose. Because it modifies IAM configuration, a user expecting passive analysis could unintentionally authorize broader access than needed.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script claims the role is only for viewing advisor information, yet it attaches QcloudTAGFullAccess in addition to advisor access. This mismatch is dangerous because it misrepresents the granted privilege scope and can lead users to approve broad tag-management permissions they did not intend to authorize.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal