ClawHub

Llm Service Manager

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it manages Ollama/vLLM/OpenAI-compatible LLM services, with some expected but important privacy and system-side-effect considerations.

Install this only if you want an agent to manage local LLM tooling. Use api: only with endpoints you trust, because prompts and any configured API key are sent there. Use start and pull deliberately, since they can launch a local service or download large model files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill can start a local service process even though its description emphasizes management rather than explicit privileged execution boundaries. In an agent setting, launching background software changes host state and may expose a new local API surface without strong consent or scope controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The module reads an environment-defined API base URL and treats it as an OpenAI-compatible endpoint, allowing prompts to be sent to arbitrary destinations. In the context of a supposedly local LLM manager, this broadens network exfiltration risk because user inputs may be transmitted off-host to an endpoint not clearly disclosed to the user.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough that normal conversation about LLMs, local models, or Ollama could invoke this skill unintentionally. In a skill that can start services, download models, and send prompts to external API endpoints, unintended activation can lead to surprising side effects, privacy issues, or unnecessary system/network actions.

Vague Triggers

High
Confidence
96% confidence
Finding
The catch-all '(any text)' command makes the interface effectively accept arbitrary user input and auto-route it to an available service. Because the skill supports both local and API-backed querying, ambiguous free text could be sent to external endpoints or trigger unintended model interactions without clear user consent, increasing the risk of data leakage and misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises actions that may download models and send user queries to OpenAI-compatible API endpoints, but it provides no warnings about privacy, bandwidth, cost, or the distinction between local and remote processing. Users may reasonably assume all operations are local, causing accidental disclosure of sensitive prompts or unanticipated downloads and charges.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function sends user prompts and optional bearer credentials to an external API endpoint without any user-facing notice at the call site. That creates a confidentiality risk because sensitive prompt content may be disclosed to remote infrastructure unexpectedly, and credentials are used silently based on environment state.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill silently consumes environment-based configuration and credentials to reach a remote model endpoint. In an agent context, accessing secrets is not inherently malicious, but using them without clear disclosure or permission can surprise users and enable unintended outbound data flows.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Starting a local service subprocess modifies the system state and may expose a listening service, yet the action occurs from a simple command without strong prior warning or confirmation. In a tool-integrated environment this can be risky because users may not expect background services to be launched on their host.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The model pull command can trigger network downloads and significant resource consumption but does not clearly warn the user about those side effects. While not a direct exploit primitive, it can cause unexpected bandwidth, storage, and operational impact in an automated agent context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal