ClawHub

Agent Comm Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it needs Review because it handles relay networking and persistent signing keys with weak disclosure and scoping.

Install only if you trust the publisher and can control how agents invoke it. Use trusted wss:// relay endpoints, avoid broadcasting sensitive plaintext, keep aliases/localId values constrained, and protect or remove the data/keystore directory because it contains signing keys that can impersonate local agent identities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly supports relay network connections and encryption/decryption of sensitive credentials, but it does not warn users about what data may leave the local environment, what trust assumptions apply to the relay, or how session keys and decrypted secrets should be handled. In a security-focused skill, omission of privacy and sensitive-data usage guidance can cause users or downstream agents to expose credentials or confidential payloads under a false sense of safety.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill establishes WebSocket connections using a default insecure URL (`ws://localhost:3001`) and sends authentication material, including a signed challenge, DID, session identifiers, and later broadcast payloads, over that channel. If the relay URL is non-local, proxied, container-bridged, or attacker-controlled, traffic can be intercepted or modified in transit; even on localhost, there is no user disclosure or trust validation for outbound network transmission of potentially sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code establishes a WebSocket connection to a configurable relay URL and sends authentication material, session identifiers, DIDs, signatures, and broadcast payloads without requiring transport security or any user-visible disclosure. Because the default relay uses plain `ws://`, an attacker on the network or a malicious relay can observe or tamper with challenge/subscribe/broadcast traffic, which can expose sensitive metadata and potentially facilitate session hijacking or message manipulation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists a long-term Ed25519 private signing key to disk in plaintext JSON under a predictable path inside the working directory. Even with file mode 0600, any local process running as the same user, backups, container volume mounts, accidental repository inclusion, or filesystem disclosure can expose the key and allow message forgery or identity impersonation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal