ClawHub

AetherCore v3.3

Security checks across malware telemetry and agentic risk

Overview

AetherCore is a local JSON/indexing tool, but it overstates its safety while allowing broad file reads, in-place writes, and persistent indexes that may store sensitive content.

Install only if you are comfortable with a local tool that can read, overwrite, and index files you point it at. Use a virtual environment, avoid credential and system directories, review any generated .index or index_data files, and do not rely on the included security verification script as proof of safety.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises significant capabilities including file read/write, shell execution, and network-related installation requirements, but does not declare permissions accordingly. This creates a trust and review gap: operators may approve or run the skill without understanding that it can access arbitrary paths, modify local files, invoke shell-based install flows, and potentially reach external resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documentation makes strong safety claims such as 'all security review issues fixed' and 'production ready' while describing or implying broader behavior including installation via pip, arbitrary local file processing, indexing and compaction across directories, and pickle-based persistence. This mismatch is dangerous because users and reviewers may rely on the safety claims and underestimate the real attack surface, especially around unsafe deserialization, broad file access, and filesystem modifications.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This script presents itself as a security verification tool, but its checks are superficial grep patterns that can be trivially bypassed and do not validate actual behavior. More importantly, it prints an unconditional all-clear summary at the end regardless of earlier warnings or failures, which can mislead users and downstream reviewers into trusting unsafe code.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The generated declaration makes concrete capability and safety claims such as 'universal smart indexing' and 'universal auto-compaction' that this script does not actually perform. In a security-sensitive skill ecosystem, false capability claims can mislead operators into trusting unsupported features or safety properties, which may drive unsafe deployment decisions.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The installer prominently claims 'No system modifications' and 'User confirmation required for all operations', but it immediately runs `pip3 install -r requirements.txt` without any explicit prompt. This is a deceptive safety claim that can mislead users into approving execution under false assumptions, especially because package installation modifies the Python environment and may trigger installation-time code from dependencies.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The function is presented as a performance optimization, but its optimization step recursively removes all null values from dicts and lists, changing the meaning of input data. In many systems, null carries important semantics such as explicit clearing, tri-state logic, policy defaults, or schema compliance; silently stripping it can bypass validation, alter authorization/business logic, or corrupt security-relevant state.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The optimize method accepts a caller-supplied path and writes data to it, allowing arbitrary file overwrite within the permissions of the running process. In an agent or skill context where untrusted input may influence arguments, this expands a data-processing utility into a filesystem write primitive that could clobber configuration, user files, logs, or application state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to execute ./install.sh directly without describing the script's actions, required privileges, or possible system modifications. In a security review context, asking users to run an opaque installer from a freshly cloned repository increases supply-chain and social-engineering risk because users are encouraged to execute unreviewed code.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Ubuntu/Debian instructions tell users to run sudo apt commands that alter system package state, but the surrounding guidance does not clearly emphasize the trust boundary and consequences of privileged package operations. This is risky because users may copy-paste commands without appreciating that they will make persistent system-wide changes.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Claiming support for indexing and compaction across 'ALL file types' without clear exclusions or trigger constraints encourages overly broad use on arbitrary directories, including sensitive or binary content. In context, this skill is explicitly designed to read and write user-specified paths, so vague universal-scope language increases the chance of accidental processing of secrets, system files, or incompatible data.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest description claims broad capabilities like 'universal smart indexing for all file types' and presents the package as security-fixed and production-ready without clear operational scope, trigger conditions, or constraints. In a skill ecosystem, overstated capabilities can cause users or orchestrators to trust the skill with broader file access or automation than is justified, increasing the chance of unsafe deployment or misuse.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
Declaring an 'english_first' policy without opt-in or justification is primarily a trust, usability, and policy-governance issue rather than a direct code-execution flaw, but it can still create misleading or exclusionary behavior in user-facing automation. In security-sensitive tooling, hidden locale assumptions may cause users to misinterpret prompts, warnings, or documentation, which can indirectly increase operational risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest includes generic triggers such as "json", "optimization", "performance", and "context", which are common terms likely to appear in many normal user requests. Even though auto_enable and auto_load are false, broad trigger design can still cause unintended routing or over-selection when the skill is available, increasing the chance that the skill activates in contexts the user did not specifically intend.

Vague Triggers

Low
Confidence
95% confidence
Finding
The manifest contains empty trigger strings, which make matching behavior ambiguous and dependent on host implementation details. In some systems this may be ignored, but in weaker parsers or routing logic it can cause unpredictable activation, validation bypasses, or accidental always-match behavior.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The optimize fallback rewrites JSON files in place under a user-supplied path without confirmation, dry-run mode, backup creation, or atomic write protections. In a skill/agent context, this can cause unintended data corruption or destructive modification of user files if the command is invoked on the wrong directory or against sensitive project data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file write uses open(path, 'w') directly, which truncates existing files without confirmation, backup, or safety checks. This makes accidental or attacker-influenced overwrite straightforward and especially risky in an agent environment, where tool inputs may be composed from external content and the module branding may cause operators to trust it as 'safe' performance tooling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The loader reads any caller-supplied path and returns full file contents, with no restriction that the path remain inside the configured workspace and no consent, allowlist, or sensitivity checks. In an agent skill context, this can become arbitrary local file read and unintended data disclosure if upstream inputs are attacker-controlled or the skill is invoked on sensitive paths.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code calls pickle.load() on a file from disk without enforcing any trust boundary, signature check, or safe format restriction. A crafted pickle file can execute arbitrary code during deserialization, so anyone able to place or replace the index file could achieve code execution in the context of the application.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The engine serializes every indexed entry, including raw line content and metadata, into a persistent JSON file on disk. If users index sensitive files, this creates a secondary plaintext data store that may outlive the original workflow, increasing exposure through local compromise, backups, shared workspaces, or accidental disclosure. The skill context makes this more dangerous because the component is explicitly designed to ingest arbitrary files, so it is likely to process secrets, internal documents, or personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal