ClawHub

Survey Response Coder

Security checks across malware telemetry and agentic risk

Overview

This skill is a local survey-response analysis helper that reads user-chosen files and can write a user-chosen report, with no evidence of hidden networking, credential access, persistence, or destructive behavior.

Install only if you are comfortable running a local Python helper on survey files you select. De-identify respondent data before use, prefer stdout or dry-run when reviewing behavior, and do not change spec.json to directory_audit, pattern_audit, or skill_audit unless you intentionally want broader local-file inspection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions, yet its documentation authorizes file read, file write, and shell execution. That creates hidden capability expansion: users and orchestrators may treat it as a low-risk text-processing skill while it can invoke local scripts and write outputs. In a skill that may process survey data containing sensitive responses, undeclared filesystem and shell access increases the risk of unintended data exposure or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
A description-behavior mismatch is a real security concern because it undermines informed consent and policy enforcement. The static finding indicates the skill can perform broader directory scanning, content inspection for secrets or risky patterns, and spec-driven audit-mode switching beyond survey response coding; that means users may expose unrelated local files to a skill they believe is limited to qualitative analysis. In this context, processing survey data often coexists with confidential research materials, making overbroad scanning more dangerous.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation explicitly permits shell/script execution even though the stated task is transforming open-ended survey responses into coded outputs, which can be achieved without arbitrary command execution. Granting shell capability where it is not operationally necessary enlarges the attack surface: prompt injection, path manipulation, or unsafe handling of input filenames could turn a benign analysis skill into a local command runner.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill claims a safety boundary of being 'default read-only, auditable, reversible' while simultaneously instructing the agent to run a script that writes an output file. This contradiction can mislead users and reviewers about the real side effects of the skill, weakening trust and increasing the chance of accidental modification or leakage of sensitive survey data through unexpected file creation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The dispatch logic implements a generic reporting/audit utility driven by spec mode rather than a survey-response coder aligned to the declared skill purpose. This capability mismatch is dangerous because it enables broader local file and directory analysis than users would reasonably expect from the manifest, increasing the risk of unauthorized inspection of local content under misleading branding.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The pattern scanning logic searches arbitrary files for secrets, private URLs, and risky shell constructs, which is unrelated to qualitative survey analysis and materially expands the skill's access to sensitive local data. In this skill context, that is more dangerous because users may supply survey datasets containing confidential respondent information while believing the tool only performs coding, not security reconnaissance over broader file contents.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The directory audit functionality enumerates arbitrary files, samples document headings, and summarizes directory contents, which is unrelated to the advertised survey-coding task. This broad filesystem inspection can expose confidential project structure or document contents and is especially problematic because the skill's stated use case would not lead users to anticipate directory reconnaissance behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The CLI description presents the script as a generic local support tool, reinforcing that the implementation does not match the specialized survey-coding manifest. Misleading documentation is security-relevant here because it obscures true capabilities and undermines informed consent, making users more likely to run a tool that inspects local files beyond the expected task.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger examples are broad, generic natural-language phrases that could overlap with ordinary requests, increasing the chance that the skill activates when the user did not explicitly intend to invoke this survey-coding workflow. In this skill’s context the effect is mostly unintended routing or irrelevant output rather than direct system compromise, but it can still cause mistaken processing of potentially sensitive survey text.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal