ClawHub

nas-master

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for NAS inventory work, but it asks for powerful NAS/SSH access and persistently indexes broad private file metadata with weak boundaries.

Review before installing. Use only a dedicated least-privilege read-only NAS account, do not store real admin passwords in the skill directory, verify or pin the SSH host key before connecting, restrict scans to approved volumes, exclude sensitive hidden paths unless needed, and secure or disable the MySQL/PHP dashboard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims strict read-only safety while explicitly instructing persistence of scan results, record updates, and generation of a PHP dashboard on disk. That contradiction is dangerous because operators may authorize the skill under false assumptions, while it actually performs writes to databases and the local filesystem.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation repeats read-only assurances while directing creation of frontend files and database modifications. Conflicting safety claims reduce transparency and can lead to accidental deployment in environments where no-write behavior is a hard requirement.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Granting the skill broad business-analysis, project-management, and general coding roles expands its operational scope beyond NAS metadata scraping without a clear justification. Unnecessary breadth increases the chance of prompt injection, unintended actions, and user confusion about what the skill is authorized to do.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The instruction to continuously search for free online tools, APIs, and resources introduces external-research and possible outbound-network behavior unrelated to NAS scraping. In a credentialed NAS/SSH context, such capability expansion raises the risk of unnecessary data transmission, unreviewed third-party interaction, or abuse through malicious prompts.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code disables SSH host-key verification by using AutoAddPolicy, causing the client to trust any host key presented by the server. This makes the NAS connection vulnerable to man-in-the-middle attacks, allowing an attacker on the network to impersonate the NAS, capture credentials, and feed falsified RAID/Btrfs data back to the scraper.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Broad, ambiguous invocation language makes it unclear when the skill should activate and what boundaries apply. In practice, vague triggers can cause over-invocation and execution of sensitive NAS, SSH, or database-related behavior in contexts where the user did not intend it.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill handles NAS and SSH credentials and accesses remote storage, but the description omits a clear warning about credential use and data access over SMB/SSH. Without transparent disclosure, users may not understand the sensitivity of the operation or the potential exposure of internal file metadata and system details.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Disabling host-key verification on an SSH connection removes server authentication, so the script cannot distinguish the real NAS from an attacker-controlled endpoint. In this skill context, which uses environment-supplied NAS credentials, exploitation could expose credentials and contaminate collected system metadata with attacker-supplied output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal