ClawHub

ML Pipeline

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it overstates its ML/trading capabilities while granting broad local command and file authority and bundling scripts that can scan, copy, overwrite, and delete files.

Review this as a starter/template skill, not a production trading ML pipeline. Install only in a dedicated workspace, inspect any Bash/Write/Edit actions before allowing them, avoid running recursive analyzers on sensitive directories, and use the deployment helper only with source and target paths you are comfortable modifying or overwriting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script markets itself as an end-to-end feature engineering and model training pipeline, but it only performs superficial file inspection and JSON parsing. In an ML trading context, this kind of capability misrepresentation is dangerous because users may rely on it for critical data-processing or anti-leakage workflows that are not actually occurring, leading to silent failure, bad models, and unsafe deployment decisions.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The comments explicitly state that the core processing logic is only a template placeholder, while the surrounding documentation presents the tool as a complete ML pipeline. This discrepancy creates a deceptive interface that can cause operators to trust nonexistent processing, especially in financial ML where missing validation or leakage controls can directly corrupt downstream decisions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file advertises ML feature-importance analysis, but actually performs recursive filesystem inventory and metadata collection. This mismatch can mislead users into running a script on sensitive directories, causing unintended disclosure of file structure, names, sizes, and operational environment details, especially in an ML/trading skill where users may expect data-science-safe behavior rather than broad file auditing.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The CLI help text reinforces a false security/functionality expectation by claiming permutation importance and SHAP-style analysis while the program only enumerates files. In an agent skill, deceptive CLI descriptions are dangerous because automated users or orchestration systems may invoke the tool against project roots or data mounts, unintentionally exposing internal filesystem information or performing actions outside the expected ML workflow.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script's actual behavior is unrelated to the skill's advertised ML/trading pipeline and instead performs generic recursive auditing of directories and files. In this context, capability drift is security-relevant because a mislabeled tool inside a trading/ML skill can be used to probe repository contents, mounted volumes, or sensitive research data under the guise of benign model analysis.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The CLI advertises a '--force' flag for overwrite control, but deployment always uses shutil.copy2 and will overwrite existing files regardless of whether '--force' was provided. This creates unsafe and misleading behavior that can destroy or replace files in the target directory unexpectedly, especially in production deployment contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal