ClawHub

Knowledge To Playbook

Security checks across malware telemetry and agentic risk

Overview

This skill is a local SOP/playbook drafting helper that uses an optional Python script to read chosen inputs and write chosen outputs, with no evidence of hidden network access, credential use, persistence, or destructive behavior.

Install this as a local document drafting tool, not an operations executor. Use it only on input files you intend the agent to process, redact sensitive chat logs or personal data where appropriate, choose output paths deliberately, and review generated SOPs before using them for real procedures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill declares no permissions, yet its instructions explicitly rely on local file access and optional shell execution via python3. This creates a trust and transparency gap: users and enforcement systems may treat the skill as harmless documentation tooling while it can read/write files and invoke an interpreter, expanding the attack surface and enabling unintended data access or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
A material mismatch between the stated purpose and the described/observed behavior is security-relevant because it can conceal broader data-processing and scanning functionality from users and policy controls. If the skill can scan directories, inspect CSV/TSV, audit skill metadata, or run high-risk pattern checks beyond simple playbook drafting, it may process sensitive local content unexpectedly and be invoked in contexts where those behaviors are inappropriate.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill claims to be read-only and to avoid risky command execution, but then instructs the agent to execute a local Python script when shell/exec is available. This contradiction can mislead reviewers and operators into approving or invoking a skill under a lower-risk assumption, while the actual behavior permits code execution with whatever privileges the agent runtime has.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Shell/exec capability is not necessary for the stated task of reorganizing provided knowledge into SOP/playbook drafts, so its presence is unjustified and increases risk. Even a simple python3 invocation can be leveraged to read additional files, overwrite outputs, or perform unintended actions if the script or arguments are modified, especially in agent environments with broad workspace access.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script supports multiple audit modes beyond the stated skill purpose of organizing knowledge into SOP/playbooks, including directory auditing, pattern scanning, CSV auditing, and skill package validation. This capability expansion increases the data exposure and behavioral scope of the skill, making it easier to inspect local files and repurpose the tool for unintended analysis tasks that users may not expect from the declared metadata.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code performs security-style pattern scanning for secrets, dangerous shell constructs, and private URLs, which is outside the expected scope of a playbook-authoring skill. While it does not exfiltrate data by itself, it can read arbitrary local files and surface sensitive snippets into generated reports, creating confidentiality and scope-creep risks if used on broad directories.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger examples are broad natural-language phrases that could overlap with ordinary user requests, increasing the chance this skill is invoked unintentionally. In this skill's context the impact is limited because the README repeatedly states the tool is for drafting Markdown playbooks and not for directly executing dangerous actions, but misrouting could still cause confusing or inappropriate handling of user input.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal