ClawHub

Metric Definition Catalog

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly coherent metrics-catalog helper, with caution needed because its bundled script contains unused audit/scanning code beyond the advertised workflow.

Install only if you want a local metrics-definition cataloging helper. Use scoped, non-sensitive inputs, review the generated Markdown before acting on it, and do not modify the bundled spec to enable audit/scanning modes unless you intentionally want that broader local-file inspection behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares no permissions, yet its documented capabilities include file read/write and shell execution. This creates a transparency and policy-enforcement gap: users and orchestrators may treat the skill as low-risk while it can perform materially more powerful actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is metric-definition cataloging, but the detected behavior includes directory scanning, content sampling, CSV/TSV profiling, high-risk pattern scanning, structure validation, and mode-switching from external spec data. That mismatch is dangerous because it broadens data access and execution scope beyond user expectations, increasing the chance of unauthorized collection, misuse, or hidden dual-use behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation explicitly permits running a local Python script, but shell/script execution is not necessary for the stated purpose of organizing metric definitions. Allowing execution introduces command and file-handling risk, especially when inputs or paths may be influenced by users or surrounding workflow data.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
Claiming the skill is 'default read-only' while also documenting executable script usage is a misleading safety assertion. Users may rely on the read-only claim and invoke the skill in sensitive contexts, even though script execution can enable writes, broader file access, or other side effects.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The dispatcher exposes multiple operating modes unrelated to the declared metric-definition catalog purpose, including directory auditing, CSV auditing, pattern scanning, and skill-package auditing. This kind of scope mismatch is dangerous because it enables arbitrary local file inspection under the guise of a benign analytics skill, increasing the chance of unauthorized data discovery and misuse in agent workflows that trust the manifest.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The pattern scanning logic searches arbitrary files for secrets, internal URLs, and risky shell constructs, which is outside the declared metrics-catalog use case. In context, this is dangerous because it turns the skill into a lightweight reconnaissance tool that can surface sensitive content from unrelated files, making accidental or intentional data exposure more likely.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill_audit and frontmatter parsing routines inspect arbitrary skill package contents and metadata, which is unrelated to organizing metric definitions. This broadens the tool's effective authority and can expose repository structure and metadata from unrelated projects, especially if an agent is allowed to run it over local directories without careful review.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The directory enumeration and file sampling functions recursively inventory arbitrary directories and read multiple text-based file types. For a metrics-definition skill, this is unjustified and risky because it can collect and summarize contents from unrelated local files, creating unnecessary exposure of sensitive business or developer information.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README uses broad trigger phrases like '整理这批指标定义' and '统一口径和计算方式', which can overlap with ordinary user requests and cause the skill to activate unintentionally. While this does not directly enable code execution or data exfiltration, accidental invocation can lead to workflow confusion, misrouting, or unintended processing of sensitive business metric materials.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal