ClawHub

Skill Install Checker

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local pre-install checker that runs a bundled Python script on user-provided inputs and does not show hidden network, credential, destructive, or persistent behavior.

Install only if you are comfortable with a local Python helper reading the skill directory or input file you provide and optionally writing a report. Use it on intended skill materials, avoid pointing it at broad sensitive folders, and review the generated report before making any environment changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet its instructions explicitly allow shell execution via `python3 .../scripts/run.py` and imply reading local resources and writing output files. This creates a transparency and policy-enforcement gap: users or orchestrators may treat the skill as low-risk/read-only while it can actually execute code and write data, increasing the chance of unintended command execution or data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented purpose is a pre-install environment checker, but the detected behavior is much broader: scanning arbitrary directory contents, parsing multiple file types, regex-searching for sensitive patterns, generating generic reports, and writing results to output files. That mismatch is dangerous because it expands the data-access surface beyond user expectations, enabling unintended collection of secrets or unrelated local content under the cover of a benign-sounding install-check skill.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script's implemented behavior is materially broader than the declared skill purpose. Instead of validating installation prerequisites such as binaries, environment variables, OS support, and sandbox constraints, it performs generic content scanning, repository auditing, CSV analysis, and pattern-based secret/dangerous-command detection. This scope drift is dangerous because users may grant or trust this skill under an installation-preflight mental model, while it actually inspects arbitrary files and directories, increasing unnecessary data exposure and violating least privilege.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code can recursively enumerate and read many text files from arbitrary directories via directory_report, pattern_report, and related helpers, which is not justified by an install-checker role. In skill ecosystems, this kind of overbroad file inspection can expose sensitive local content, secrets, internal URLs, or repository metadata to reports or downstream consumers, especially when users invoke the skill expecting narrow preflight validation.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger examples are broad natural-language phrases without clear scoping or exclusion criteria, which can cause the skill to activate in contexts beyond strict preflight/install auditing. In an agent system, overbroad routing can lead to the wrong skill being selected, producing misleading installation guidance or unnecessary environment inspection in unrelated tasks.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The template hard-codes Chinese-language output and guidance, which can override or conflict with the user's preferred language if reused blindly by an agent. This is not a code-execution issue, but it can cause unsafe or misleading interactions by reducing user comprehension, especially for installation preflight results that may contain warnings, rollback advice, or environment risks.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal