ClawHub

uStack

Security checks across malware telemetry and agentic risk

Overview

uStack is a coherent, user-invoked CLI for cloning upstream agent repos, analyzing Git changes, and writing local report artifacts, with no evidence of hidden data theft or destructive behavior.

This skill is reasonable to install if you want a local CLI for tracking upstream agent-framework changes. Be aware it clones arbitrary Git repositories you provide and stores analysis output under .ustack; avoid using it on untrusted repos until the git shell-interpolation hardening is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a true command-injection risk because `fromSha` and `toSha` are interpolated directly into a shell command passed to `execSync`. If either value is attacker-controlled, shell metacharacters or crafted git revision syntax can execute arbitrary commands or alter the command behavior, and this skill's purpose of ingesting upstream repositories makes externally influenced revision values more plausible.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a true vulnerability because `fromSha` and `toSha` are inserted into `git diff --name-status` via `execSync`, which invokes a shell. An attacker able to influence these values could inject shell syntax for arbitrary command execution, or abuse unexpected git revision parsing to access unintended history or produce misleading results.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This is a true command-injection issue because both `sha` and `filePath` are concatenated into `git show ${sha}:${filePath}` and executed through the shell. If an attacker controls either parameter, they may execute arbitrary OS commands or manipulate the git object specifier to read unintended repository content; in a cross-framework import/update engine that processes upstream repos, this context increases exposure to untrusted input.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal