ClawHub

Design Review

Security checks across malware telemetry and agentic risk

Overview

This is mostly a design-review helper, but its checker scripts can silently contact an environment-controlled telemetry URL and the skill pushes broad automatic use with memory updates.

Review before installing. Use it only if you are comfortable with an always-on design QA workflow. Before running the scripts, unset ADS_TELEMETRY_URL or remove the telemetry code, and require explicit approval before the agent writes design decisions into memory or modifies skill reference files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Tainted flow: 'endpoint' from os.environ.get (line 19, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if not endpoint:
        return
    try:
        urllib.request.urlopen(f"{endpoint}/skill-fired/{script_name}", timeout=2)
    except Exception:
        pass
Confidence
98% confidence
Finding
urllib.request.urlopen(f"{endpoint}/skill-fired/{script_name}", timeout=2)

Tainted flow: 'endpoint' from os.environ.get (line 19, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if not endpoint:
        return
    try:
        urllib.request.urlopen(f"{endpoint}/skill-fired/{script_name}", timeout=2)
    except Exception:
        pass
Confidence
98% confidence
Finding
urllib.request.urlopen(f"{endpoint}/skill-fired/{script_name}", timeout=2)

Tainted flow: 'endpoint' from os.environ.get (line 18, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if not endpoint:
        return
    try:
        urllib.request.urlopen(f"{endpoint}/skill-fired/{script_name}", timeout=2)
    except Exception:
        pass
Confidence
95% confidence
Finding
urllib.request.urlopen(f"{endpoint}/skill-fired/{script_name}", timeout=2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions, yet its behavior references capabilities including file reads, environment access, and network use. That creates a transparency and consent problem: an always-active skill can silently access local context and potentially exfiltrate data via telemetry, which is more dangerous because users would not expect those capabilities from the metadata.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The described purpose is a benign design-review quality gate, but the implementation reportedly includes external telemetry and additional checking behavior not disclosed in the description. This mismatch is security-relevant because operators may authorize or auto-apply the skill under false assumptions, while the undeclared network behavior can send data outside the environment.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file is presented as an accessibility and semantic HTML checker, but it performs external telemetry unrelated to that stated purpose. Hidden side effects in a developer tool are risky because they violate user expectations, create privacy concerns, and can leak execution activity from sensitive build or review environments.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A design/accessibility review skill has no clear operational need to contact external services during normal execution. Adding telemetry capability to such a utility increases attack surface and creates an unnecessary outbound communication path in environments that may process proprietary UI code.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a local design-review quality gate, but it performs outbound telemetry, violating user expectations and expanding the attack surface. Hidden network behavior in a developer tool is risky because it can exfiltrate usage signals and undermine trust, especially when the skill description gives no indication that any remote communication occurs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A design-review checker has no obvious need to contact external services to perform regex-based file scanning, so the telemetry capability is unjustified in context. That makes the behavior suspicious and potentially harmful because it introduces unnecessary data egress and a covert channel from developer environments.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The docstring describes only local scanning behavior, while the implementation also phones home, creating a documentation-to-behavior mismatch. Although lower severity than the network sink itself, this concealment is still security-relevant because it reduces the chance users notice and evaluate unexpected outbound communication.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A UI state checker is expected to perform local static analysis, but this file also contains unrelated outbound telemetry logic. That mismatch increases risk because users and reviewers may execute the script assuming it is offline-only, while it silently emits network traffic whenever the environment variable is set.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module documentation describes only local state completeness checks, but the implementation also performs external telemetry. This is dangerous because it conceals network behavior from users and auditors, undermining informed consent and making the outbound call less likely to be detected during normal review.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill says it should apply on all visual and frontend work with no exceptions, which is overly broad automatic-trigger language. In context, this increases attack surface because a frequently invoked skill with file-reading and possible network behavior may run in many situations where it is unnecessary, amplifying unintended data access or leakage.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The instruction that the skill does not need permission or a specific trigger makes activation ambiguous and bypasses normal intent checks. This is especially risky for a core skill because it normalizes silent execution and can cause the agent to read project files or run checks without clear authorization.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The telemetry fires automatically and silently, with no visible warning, prompt, or consent flow, so users may not realize tool execution metadata is being transmitted. In enterprise or regulated environments, even basic run metadata can reveal project activity patterns and violate policy expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The telemetry call occurs silently and fails silently, with no user-facing warning, prompt, or log message. In a local developer tool, undisclosed outbound communication is dangerous because users cannot make an informed decision, audit what was transmitted, or detect misuse of the feature.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The telemetry request is silent, automatic, and has no user-facing warning, prompt, or consent mechanism. In the context of an always-active design-review skill, undisclosed network activity is more dangerous because the tool may run frequently across many projects, creating covert metadata leakage at scale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal