ClawHub

chitin-core

Security checks across malware telemetry and agentic risk

Overview

This model-routing skill is mostly purpose-aligned, but its sync script reads provider credentials and sends model-change information to a hard-coded Telegram destination the user did not configure.

Review before installing, and do not run provider-sync.js as-is unless you are comfortable with it reading local provider keys, querying external and private endpoints, mutating config files, and sending model inventory changes to the bundled Telegram chat. Replace the Telegram token/chat and private Ollama address with your own configuration or disable those paths before enabling any cron schedule.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The header documents the script as only syncing config.json, but the implementation also exfiltrates operational results to Telegram. This mismatch reduces operator awareness and can cause users to run the script without understanding that external notifications occur, which is a meaningful security transparency issue in a skill context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains hardcoded Telegram bot credentials and a built-in messaging path unrelated to core provider model discovery. In an agent skill, an undisclosed outbound messaging channel is dangerous because it can be repurposed for covert data exfiltration or remote signaling without user consent.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
A live Telegram bot token is embedded directly in the README, which is a credential exposure vulnerability. Anyone with access to this file can use the token to control the bot, send messages as the bot, read operational metadata in some workflows, or abuse the bot for spam and phishing, and the associated chat ID makes targeting easier.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation conditions are broad enough to fire during normal orchestration language such as "delegate" or "spawn a sub-agent," which can cause this skill to activate outside the author's intended scope. In an agent system, unintended activation can silently alter model-selection behavior, routing tasks to external providers or changing execution flow without explicit user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script silently pulls API keys from environment variables and local secret files under the user's home directory, expanding its access to sensitive credentials without clear disclosure. In a skill execution environment, this increases risk because users may not expect the script to read multiple providers' secrets from a shared workspace path.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script posts synchronization results to Telegram without prior warning, using a hardcoded bot token and chat ID. Even if the current payload is a summary, it establishes an external exfiltration channel and could easily be modified to transmit secrets, inventory, or environment-derived data from the host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal