ClawHub

Secret Exposure Gate

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local secret-scanning helper; it can read a chosen path and write a report, but I found no hidden networking, persistence, destructive behavior, or credential exfiltration.

Install only if you want a local pre-release scanner. Point it at a specific project or release directory, keep generated reports private because they may contain sensitive snippets or private URLs, and use stdout or dry-run behavior when you do not want a report file written.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions, yet its content explicitly indicates shell execution and file output capabilities via `python3 ... --output <输出文件>`. This creates a transparency and trust problem: a user or orchestrator may treat the skill as low-risk/read-only when it can execute code and write files, increasing the chance of unintended data access or modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The documented purpose is a narrow secret-scanning gate, but the analyzed behavior suggests a broader, dynamically switchable auditing tool driven by external `spec.json`. That mismatch is dangerous because it can cause users and policy systems to authorize the skill for a limited security review use case while it performs broader file inspection, reporting, or mode changes outside the stated scope.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script dispatches to multiple generic modes such as structured brief, directory audit, CSV audit, pattern audit, and skill audit based on external spec data, which materially expands behavior beyond the stated purpose of pre-release secret exposure checking. In a security skill, this scope drift is dangerous because it enables arbitrary content summarization and repository inspection workflows that can enumerate sensitive files or repackage data under the cover of a narrowly described secret-scanning tool.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The directory audit mode inventories arbitrary files, extensions, and Markdown headings instead of detecting secrets. That behavior can expose repository structure and document topics, which may leak sensitive operational context or private project information while failing to perform the promised secret-focused security control.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The CSV audit mode summarizes schema completeness and uniqueness rather than checking for secret-bearing values. This can disclose dataset structure and data profiling information from potentially sensitive files, while giving users a false impression that a secret exposure gate was actually performed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill_audit function performs generic package compliance checks on skill files and frontmatter, which is unrelated to secret exposure scanning. In this skill context, unrelated auditing functionality broadens the accessible analysis surface and can be used to inspect package structure and metadata under a misleading security-oriented label.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger examples are broad natural-language phrases such as asking to scan a directory for secrets, which can overlap with ordinary user requests and cause the skill to activate unexpectedly. In a security-sensitive skill, accidental invocation can expose local file contents, broaden data access, or cause unintended scanning of user repositories during unrelated conversations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal