ClawHub

Execution Plan Splitter

Security checks across malware telemetry and agentic risk

Overview

The skill’s normal plan-writing workflow is local and non-destructive, but its bundled script contains under-disclosed audit functions that can inspect local files and surface sensitive-looking content if enabled.

Install only if you are comfortable with a local Python helper being present. Use it for explicit planning documents, avoid pointing it at whole repositories or sensitive directories, and review or remove the audit-oriented modes before trusting it in sensitive workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises no declared permissions, yet its content explicitly allows invoking `python3` and references reading templates/specs and writing output files. This creates an undeclared capability gap: a caller or platform may treat the skill as low-risk planning-only functionality while it can actually access local files and execute shell-adjacent behavior, increasing the chance of unintended file access or command execution.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script's implemented capabilities materially exceed the declared purpose of an execution-plan splitter. It can inspect arbitrary directories, sample CSV contents, scan files for security-related patterns, and audit skill package structure, which expands data access and analysis scope without clear justification. In a skill ecosystem, this kind of scope drift is dangerous because it enables collection and processing of unrelated local content the user may not expect this skill to touch.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The regex-based scanning for secrets, dangerous shell snippets, and private URLs is unrelated to splitting goals into 30/60/90-day plans. Even though it does not exfiltrate data by itself, it processes potentially sensitive file contents and surfaces matched snippets in output, which can expose tokens, internal endpoints, or confidential code fragments to downstream consumers. The mismatch between declared purpose and actual behavior increases the risk of covert data inspection.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Auditing arbitrary directories and validating skill package structure/frontmatter gives the tool filesystem inspection capabilities unrelated to its stated planning function. This broadens access to local project contents and metadata, creating an unnecessary privacy and security exposure if the skill is invoked on sensitive paths. In context, the undeclared capability makes the behavior more suspicious because users would reasonably expect planning assistance, not repository or package inspection.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger examples are broad everyday phrases such as '给我一个可执行路线图', which can plausibly appear in unrelated planning conversations. In skill-routing systems, overly generic triggers increase the chance of accidental invocation, causing the agent to apply this skill in contexts where it was not intended and potentially producing misleading structured plans from incomplete or sensitive input.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal