ClawHub

hxl-code-reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MCP server-building guide with an optional evaluator; no hidden malicious behavior was found, but the evaluator should only be run on test or read-only systems.

Install only if you intend to build or evaluate MCP servers. Run the optional evaluator in a virtual environment with pinned dependencies, use synthetic or read-only test data, avoid production credentials, and review generated reports before sharing them because tool inputs and outputs may be included.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill instructs the agent to create MCP servers and evaluation artifacts, including writing files and interacting with MCP-capable tooling, but it declares no permissions. This mismatch can cause unsafe execution in environments that rely on explicit permission declarations, because users and policy systems are not clearly informed that the skill may write files or interact with external MCP services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated description presents the skill as a development guide, but the behavior described by analysis includes acting as an MCP client, invoking remote tools, running evaluations, calling Anthropic APIs, and generating reports. This description-behavior gap is security-relevant because operators may approve the skill expecting passive guidance while it actually enables active external interaction, data transmission, and potentially costly or risky tool execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide explicitly demonstrates collecting an API key from the user via `ctx.elicit(..., input_type="password")` without any security framing, storage restrictions, or recommendation to prefer preconfigured secrets/token brokers. In a skill intended to teach MCP server construction, this normalizes credential harvesting patterns and can lead developers to build tools that solicit, handle, and possibly expose sensitive secrets unnecessarily.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The resource example exposes local file contents through a URI template (`file://documents/{name}`) and reads from `./docs/{name}` with no validation, allowlist, or path normalization. In a guide focused on external API/service integration, this broadens scope toward local file access and teaches a pattern that could become path traversal or unintended local data exposure when copied into real MCP servers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example requests an API key in plain language and presents it as a normal tool interaction, but provides no warning about secret handling, safer alternatives, or downstream risks like logging, prompt leakage, or reuse across sessions. Documentation that omits these caveats can directly influence insecure implementations by downstream developers.

Ssd 3

Medium
Confidence
96% confidence
Finding
The guidance explicitly instructs tools to request and use user API keys, which is a sensitive-data handling pattern that can easily be abused or implemented insecurely. Because this is prescriptive instructional content, it has elevated risk: readers may reproduce the pattern verbatim without adding safeguards, resulting in credential theft or accidental disclosure.

Ssd 3

Medium
Confidence
98% confidence
Finding
The evaluation system prompt explicitly instructs the model to disclose every tool input and output in <summary> tags. Since those summaries are persisted into the final report, any secrets present in prompts, headers, API responses, tool arguments, or tool results can be echoed into logs or output files, creating a clear sensitive-data exposure risk.

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low
Category
Supply Chain
Confidence
89% confidence
Finding
anthropic

Known Vulnerable Dependency: mcp — 3 advisory(ies): CVE-2025-53366 (MCP Python SDK vulnerability in the FastMCP Server causes validation error, lead); CVE-2025-66416 (Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection); CVE-2025-53365 (MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to )

High
Category
Supply Chain
Confidence
97% confidence
Finding
mcp

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal