ClawHub

Li Sentry Check

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed SSH server health-check skill, but it should be used carefully because reports and logs may contain sensitive operational data.

Install only if you intend to run SSH inspections on systems you are authorized to inspect. Use a dedicated low-privilege SSH key/account, review targets.yaml and checks.yaml before running, avoid adding state-changing commands, verify host keys for production, and treat generated reports as sensitive because they may include hostnames, service state, failed-login records, and logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares restrictive behavior, but its documented and implied capabilities include local file reads, local report writes, outbound SSH network access, and shell command execution. Undeclared capabilities reduce transparency and make it harder for reviewers and runtime policy systems to enforce least privilege, especially for a skill that accesses remote hosts and SSH keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The security declaration claims the skill does not write files and limits network effects, yet the documented behavior includes optional local report writes and host key acceptance behavior that mutates local SSH trust state. This mismatch is dangerous because operators may trust the stronger claims and run the skill in environments where local state changes or SSH trust-on-first-use are unacceptable, increasing the risk of data leakage or man-in-the-middle exposure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README repeatedly frames the skill as performing read-only server inspection, but the extension example adds a raw `mysql -e ...` command, which introduces a general-purpose database client into the allowed checks. Even though the sample query is read-only, documenting unrestricted SQL execution expands the capability beyond host inspection and can enable state-changing queries if the command list is modified or copied carelessly.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The extension guide broadens the skill from read-only Linux health inspection into database interaction by suggesting a raw `mysql` command. Even though the example is framed as inspection, it expands operational scope and introduces a path for users to add commands outside the original least-privilege/read-only server-check model, which increases the chance of unsafe extensions and access to more sensitive data.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document asserts that arbitrary remote command execution is not supported, yet the extension section explicitly shows operators adding raw shell commands to checks.yaml. In a skill whose purpose is to SSH into production servers and execute commands remotely, this contradiction weakens the claimed trust boundary and can enable unsafe or overly broad command execution if users extend the skill without strict validation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script accepts an arbitrary --output path and writes the generated report there, contradicting its stated read-only behavior. In an agent environment, this can be abused to overwrite local files accessible to the agent account, potentially clobbering configuration, logs, or other sensitive workspace files and breaking trust boundaries.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security documentation claims the tool only reads two fixed files and never writes files, but the implementation also expands and uses an arbitrary SSH key path from configuration and can write reports to any user-specified path. This mismatch is dangerous in agent settings because operators and policy engines may rely on the declared constraints, causing them to approve a tool that has broader filesystem access than advertised.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README describes SSH-based inspection of remote Linux servers and generation of reports containing system, service, security, and log data, but it does not prominently warn users up front that sensitive operational data will be transmitted over SSH and then displayed or saved locally in reports. In this context, missing disclosure can lead operators to run the skill against production systems without understanding that host details, logs, failed services, and security-relevant findings may be exposed in terminal output or output files.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README describes SSH access to remote systems and collection of logs, service status, and security-relevant system data without a prominent pre-use warning about privacy, authorization, or operational impact. In this context, operators may run the skill against systems containing sensitive logs or metadata, creating risk of unauthorized inspection, over-collection, or mishandling of collected data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Using StrictHostKeyChecking=accept-new silently trusts the first host key seen, which exposes first-connection sessions to man-in-the-middle attacks. Because this skill connects to remote servers over SSH and may inspect sensitive operational data, auto-accepting host keys materially increases the risk of connecting to an attacker-controlled endpoint without warning.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal