ClawHub

Regression Story Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is a local QA drafting tool that reads user-provided input and can write a user-chosen report, with no evidence of network access, credential use, persistence, or destructive behavior.

Use it for drafting regression plans, not as proof that tests ran. If using the helper script, provide only intended or redacted bug data and choose an output path that is safe to create or overwrite; do not modify the packaged spec to enable the dormant audit modes unless you specifically want that broader local inspection behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions, yet its content explicitly references local resource reads, output file writes, and optional shell execution via python3. This creates a capability/permission mismatch that can mislead users and orchestrators about what the skill may do, weakening least-privilege controls and increasing the chance of unintended file or command access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared purpose is regression story generation, but the analyzed behavior indicates broader filesystem inspection, content parsing, regex-based secret/high-risk pattern detection, and spec-driven mode switching. That hidden multifunctionality materially expands the attack surface and can enable unauthorized auditing or data discovery under the cover of a benign QA skill, especially because the extra behaviors are not transparently disclosed.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script exposes multiple generic analysis modes via build_report, including directory, CSV, pattern, and skill auditing, which materially exceed the stated purpose of generating regression test stories from historical issues. This scope expansion increases the chance the skill is repurposed for broad repository inspection and content extraction, violating least-privilege expectations for a narrowly described QA-planning tool.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The embedded security-pattern scanner searches arbitrary files for secrets, private URLs, and dangerous shell constructs, which is unrelated to regression story building and can expose sensitive repository content in generated reports. In this skill context, the mismatch is especially concerning because users may invoke it expecting harmless QA planning while it performs security-oriented repository inspection instead.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill includes package auditing and frontmatter validation for skill directories, which is unrelated to its declared regression-story-builder role. While not directly destructive, this hidden auxiliary functionality broadens the data the tool can inspect and undermines user trust by performing analysis outside the expected task boundary.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Repository-wide pattern scanning is context-inappropriate here because it can enumerate sensitive strings and risky command snippets from many file types and then print them into reports. Even though execution is not performed, the capability creates an information disclosure risk and a deceptive mismatch between declared QA-story generation and actual repository security inspection.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Directory and skill-structure auditing let the script traverse arbitrary directories and summarize repository contents beyond the minimum needed for regression planning. In a skill advertised for QA workflow support, this hidden breadth increases the risk of unintended data exposure and misuse for broad reconnaissance of local project files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal