ClawHub

aicade galaxy create app skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for a legitimate aicade workflow, but it handles and stores API secrets and tells the agent to show secret values before upload, so it needs careful review before installation.

Install only if you are comfortable with a skill that participates in credential setup and upload preparation. Do not paste real API secrets into chat if a safer input method is available, ensure .env is gitignored, redact secrets in confirmations, and review any generated upload or migration steps before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s declared purpose is prompt assembly, but these instructions expand its behavior into credential discovery and persistence by directing the agent to collect API secrets and save them into a project-local .env file. That scope drift is dangerous because it normalizes secret handling in chat-driven workflows and can lead users to disclose credentials to an agent that did not clearly declare secret-management as a core function.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill documentation goes beyond prompt building and instructs the agent to evaluate project compatibility, choose reimplementation paths, and migrate apps onto an external scaffold. This capability expansion increases the chance of unintended codebase changes or risky operational guidance under the guise of a simple prompt-builder, reducing user awareness of what the skill may cause.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The upload credential confirmation and build/upload workflow materially exceed the stated prompt-builder scope and push the agent into deployment-adjacent operations. This is risky because users may trust the skill as a harmless prompt generator while it actually solicits deployment secrets and steers release actions, creating opportunities for credential exposure and unauthorized or mistaken uploads.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill claims it does not modify anything automatically, but earlier sections instruct it to save user-provided values into the project’s local .env file immediately. This internal contradiction is dangerous because it misrepresents the skill’s side effects, undermines informed consent, and may cause users to expose secrets or permit writes they would otherwise refuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as a prompt builder, but this workflow expands into credential discovery, user prompting for secrets, and local secret persistence. That broadening of capability violates least privilege and creates unnecessary access to sensitive material for a task that should only assemble prompts.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The documented behavior goes beyond assembling a prompt and instructs the agent to evaluate stack compatibility, stop the workflow, and potentially migrate/reimplement a project from an external scaffold. This scope expansion increases the chance of unintended code changes and supply-chain exposure unrelated to the declared purpose of the skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The upload workflow instructs the skill to manage deployment credentials, reconcile variable aliases, and confirm values before upload, which is materially different from prompt generation. Combining prompt building with deployment-secret handling raises the risk of credential leakage, misuse, or accidental deployment actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The workflow explicitly tells the agent to ask for missing API credentials one by one and save them immediately into a local `.env` file. For a prompt-construction skill, collecting and persisting secrets is unnecessary and dangerous because it increases secret exposure, creates lasting storage of sensitive values, and may place credentials into insecure project contexts.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This script writes API credentials and related configuration into an arbitrary project's .env file, which is outside the declared purpose of a prompt-building skill. In an agent-skill context, that creates an unexpected persistence path for secrets and can modify another project’s runtime configuration without clear user safeguards, increasing the risk of secret exposure or unsafe reconfiguration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly handles and mirrors API keys and secret keys across multiple environment variable names, enabling storage of sensitive credentials despite the skill being presented as a prompt-generation tool. This mismatch makes the capability more dangerous because users may not expect the skill to process or persist secrets, which can lead to accidental disclosure through source control, logs, backups, or downstream tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to collect API credentials and write them into .env without any explicit warning about the sensitivity of those secrets or safer alternatives. In a chat-centric workflow, that omission increases the likelihood users will paste secrets into conversation logs or allow insecure local persistence without understanding the risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The example tells the agent to restate upload variables together with their current values, including secret-bearing keys, without warning about exposure. Echoing secrets back in natural-language output can leak credentials into chat history, logs, screenshots, or other transcript storage, turning a setup flow into a disclosure vector.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions direct immediate storage of sensitive credentials into `.env` without any warning about repository leakage, terminal history exposure, file permissions, or safe handling expectations. That omission makes accidental exposure more likely, especially in local development environments where `.env` may be committed or shared.

Missing User Warnings

High
Confidence
99% confidence
Finding
The upload confirmation step tells the skill to restate resolved variable names together with their current values, which can directly expose API keys and secret keys back to the user interface, logs, or transcripts. Echoing secrets is a clear secret-disclosure flaw and is especially risky in agent environments where conversations may be retained or monitored.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions explicitly direct the agent to restate credentials with their current values before upload, which is a direct secret disclosure risk. Because agent conversations are often logged and reviewable, this behavior can expose deployment credentials to unauthorized viewers and enable account compromise or malicious uploads.

Ssd 3

Medium
Confidence
95% confidence
Finding
The examples normalize asking users for secret keys directly in chat and then immediately saving them, which increases the risk of collecting sensitive credentials through an insecure conversational channel. Even if the intent is setup convenience, handling secrets this way can leak them through logs, model context retention, or accidental echoing.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal