ClawHub

Mvp Kanban Complete Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local Kanban app, but it exposes unauthenticated web/API/MCP operations that can change or delete board data, with inconsistent network-scoping guidance.

Install only for local or trusted-network use. Do not expose port 9999 publicly unless you add authentication, HTTPS, and firewall restrictions, and make backups before using batch delete, natural-language commands, or restore.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document asserts there are no code security problems and no medium/high risks, while elsewhere recommending authentication before production use. If the skill exposes a web/API interface without authentication, unauthorized users on the reachable network could access or modify application data, and the contradictory report may cause operators to deploy it with misplaced confidence.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The manifest explicitly states that no password is required while also exposing the web UI on TCP port 9999 and recommending a firewall allow rule. That means anyone with network access to the service could potentially view and modify board data without authentication, which is a real access-control weakness rather than a documentation-only issue.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The nlp_command tool extends a kanban-board MCP server with networked command processing by forwarding arbitrary natural-language input to an HTTP service on localhost. This creates an unintended trust boundary: sensitive user prompts or board data may be sent to another process, and the downstream LLM service may perform actions or interpretations not visible or constrained in this file.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The llm_search tool does not search local kanban data directly; it forwards query text to another HTTP service. That introduces data egress and dependency on an external component whose security properties are unknown, which is broader than the server's stated local board-management role.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The restore command untars data directly into the persistent volume with no prompt, backup, or overwrite warning. This can irreversibly replace application data through operator error or misuse, creating an integrity and availability risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
This natural-language command endpoint is more dangerous than a normal delete route because it lets an LLM or MCP-style caller translate unstructured input directly into state-changing actions, including update and delete, with no confirmation, approval gate, or visible disclosure. In an agent context, this materially increases the risk of prompt-influenced destructive operations, accidental mass changes, or unintended deletes triggered by ambiguous or adversarial input.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The nlp_command tool transmits user-provided command text to another service over HTTP without clearly disclosing that prompt contents leave the current process boundary. If users include internal project details, credentials, or sensitive operational data in commands, this creates preventable data exposure to a separate service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The search tool sends raw query text to a separate HTTP service without clear user disclosure. Search queries often contain sensitive business context, names, incident terms, or unreleased project details, so silent forwarding increases privacy and confidentiality risk.

External Transmission

Medium
Category
Data Exfiltration
Content
"""
    import requests
    try:
        response = requests.post(
            "http://localhost:9999/api/llm/command",
            json={"command": command},
            timeout=10
Confidence
95% confidence
Finding
requests.post( "http://

External Transmission

Medium
Category
Data Exfiltration
Content
"""
    import requests
    try:
        response = requests.post(
            "http://localhost:9999/api/llm/search",
            json={"query": query, "limit": limit},
            timeout=10
Confidence
94% confidence
Finding
requests.post( "http://

External Transmission

Medium
Category
Data Exfiltration
Content
"""
    import requests
    try:
        response = requests.post(
            "http://localhost:9999/api/llm/command",
            json={"command": command},
            timeout=10
Confidence
95% confidence
Finding
requests.post( "http://localhost:9999/api/llm/command", json=

External Transmission

Medium
Category
Data Exfiltration
Content
"""
    import requests
    try:
        response = requests.post(
            "http://localhost:9999/api/llm/search",
            json={"query": query, "limit": limit},
            timeout=10
Confidence
94% confidence
Finding
requests.post( "http://localhost:9999/api/llm/search", json=

Tool Parameter Abuse

High
Category
Tool Misuse
Content
}
```

#### DELETE /api/projects/:id
删除项目

---
Confidence
78% confidence
Finding
DELETE /api/projects/:id

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal