ClawHub

Clawhub Rate Limited Publisher Fixed

Security checks across malware telemetry and agentic risk

Overview

The skill has a real publishing purpose, but its helper can run queue-controlled shell commands on the user's computer, which is broader than needed.

Review carefully before installing or scheduling. Use dry-run first, verify the logged-in ClawHub account, avoid any queue item with a custom command field, and do not configure cron/systemd unless you have audited or changed the helper to run a fixed clawhub publish argument list without shell=True.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"[info] command: {command_str}")
    if not execute:
        return None
    return subprocess.run(
        command_str,
        shell=True,
        text=True,
Confidence
99% confidence
Finding
return subprocess.run( command_str, shell=True, text=True, capture_output=True, check=False, cwd=str(skill_path.parent), )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly instructs the agent or host to read and write local queue files and invoke a local Python script and the `clawhub` CLI, which are file and shell capabilities. Because these capabilities are not declared in permissions metadata, the skill creates a transparency and enforcement gap: users or platforms may treat it as lower risk than it actually is, while it can trigger local command execution and filesystem changes. The context makes this somewhat less suspicious because the purpose is operational publishing automation, but it is still security-relevant because it schedules repeated command execution against local paths.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The queue format explicitly permits each item to specify an arbitrary `command`, and validation only checks that the string contains `{path}`. This means the tool is not a strict publisher but a generic shell command runner with rate limiting, allowing arbitrary local command execution under the privileges of the scheduler or user invoking it.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The module documentation claims a rate-limited ClawHub publisher, but the implementation accepts caller-provided shell commands and executes them. This mismatch increases operational risk because users and automation may trust the tool as narrowly scoped while it actually exposes a broader command-execution surface.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code executes queue-supplied shell commands without any explicit warning, confirmation gate, or indication that `--execute` may run arbitrary host commands. In the context of a scheduler-driven publisher, this makes accidental trust more likely and increases the chance that dangerous queue content is executed without operator awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal