ClawHub

Li Python Sec Check

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local Python security-checking skill with optional LLM analysis, but users should avoid running the intentionally unsafe example app as a server.

Before installing, understand that the scanner will read the target project and write reports locally. Do not run examples/unsafe-example/app.py or expose it on a network. Avoid LLM analysis for private code unless you are comfortable sending snippets or scan results to the configured API endpoint, and prefer environment variables or a secret manager over command-line API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
@app.route('/ping')
def ping():
    host = request.args.get('host', 'localhost')
    os.system("ping -c 1 " + host)

# ❌ eval 注入
@app.route('/calc')
Confidence
99% confidence
Finding
os.system("ping -c 1 " + host)

eval() call detected

High
Category
Dangerous Code Execution
Content
@app.route('/calc')
def calc():
    expr = request.args.get('expr', '1+1')
    return str(eval(expr))

if __name__ == '__main__':
    # ❌ 调试模式开启
Confidence
99% confidence
Finding
return str(eval(expr))

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill metadata declares no permissions, yet the analyzer detected capabilities for environment access, file read/write, network, and shell execution. This mismatch is dangerous because it hides the skill's effective trust requirements from users and reviewers, increasing the chance that a powerful skill is installed or run without informed consent or appropriate sandboxing.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file implements a network-accessible Flask application with command execution and dynamic evaluation features, which is inconsistent with the advertised purpose of a security checking tool. The mismatch increases risk because users may treat the repository as defensive tooling while it contains directly runnable offensive or unsafe behavior.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The combination of HTTP exposure plus system command execution and dynamic code evaluation is far more dangerous than expected for a security checker utility. In skill context, capability-purpose mismatch matters because users may install or run the skill trusting its stated defensive function, increasing the chance of unsafe deployment.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file states it is only an unsafe test example, but it is fully runnable and can start a listening Flask server. That contradiction makes accidental misuse more likely, especially because the example contains real exploitable behaviors and can be executed directly.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module explicitly states that code snippets and scan results may be sent to an external API for analysis. In a security-checking tool, transmitting source code, findings, or privacy-related scan data to a third party creates a real confidentiality and compliance risk, especially if users assume analysis is local-first and do not realize sensitive material leaves the environment.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The tool description says LLM functionality is disabled by default and local execution is prioritized, but the default run path enables privacy and data-security analyzers imported from `scripts.llm_analyzer`. If those analyzers use networked LLM backends or process sensitive source content externally, users may unknowingly send code or secrets to a third party, violating least surprise and privacy expectations.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The CLI advertises `--llm` as the switch that enables LLM analysis, but the flag is not actually used to control the privacy/data-security checks. This mismatch can mislead users into believing LLM functionality is off when it may still run, which is a security-relevant consent and data-handling flaw for a source-code scanning tool.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The document explicitly recommends changing the review status to “✅ Benign,” which is a security-backdoor pattern in documentation because it attempts to influence or override independent trust decisions. While it does not execute code or directly compromise systems, this kind of self-attestation can mislead reviewers and reduce scrutiny of real risks such as optional code exfiltration via the LLM feature.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly shows passing an API key via the command line, which can expose secrets through shell history, process listings, CI logs, and audit tooling. Because this is a security tool's documentation, users may copy-paste these examples directly, increasing the chance of credential leakage.

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
87% confidence
Finding
pytest

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal