ClawHub

Eywa

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a purpose-built remote coordination helper, but users should treat anything sent through it as shared with an external service.

Install this only if you are comfortable using the Eywa remote service for coordination. Do not send secrets, credentials, regulated data, or proprietary context unless you have approved that endpoint and its retention/access model; consider setting EYWA_URL only to a trusted service you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to invoke a local shell script via `bash {baseDir}/eywa-call.sh ...`, which is a shell execution capability, but the skill does not declare corresponding permissions. This creates a transparency and policy gap: users and hosts may not realize the skill can execute commands and make outbound network calls through installed binaries, increasing the risk of unexpected code execution or data egress.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages logging operations, storing persistent knowledge, and sharing status/context in an Eywa room backed by a remote endpoint, but it does not clearly warn users that agent activity, artifacts, and learned knowledge are transmitted to an external service and visible to other agents and potentially humans. In practice this can expose sensitive project data, credentials-adjacent context, file paths, system activity, or proprietary knowledge beyond the local environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script transmits the requested tool name and arbitrary JSON arguments to a remote Eywa service by default, but it provides no explicit warning, consent step, or guardrail about what data may leave the local environment. In an agent-skill context, callers may pass prompts, memory, task data, or other sensitive content into ARGS, so silent external transmission creates a real data-exposure risk even if the behavior is the skill's intended function.

External Transmission

Medium
Category
Data Exfiltration
Content
"${REQ_ID}" "${TOOL}" "${ARGS}")

# Call the MCP endpoint
RESPONSE=$(curl -s -X POST "${ENDPOINT}" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -d "${PAYLOAD}" 2>&1)
Confidence
95% confidence
Finding
curl -s -X POST "${ENDPOINT}" \ -H 'Content-Type: application/json' \ -H 'Accept: application/json, text/event-stream' \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal