ClawHub

Motif Logo Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is a local motif-logo helper with capability and documentation gaps, but no hidden network access, credential use, persistence, or destructive behavior was found.

Before installing, treat this as a lightweight local prototype rather than a full publication-quality logo generator. Run it in an isolated Python environment, keep input and output paths inside your workspace, inspect any WebLogo commands before copying them into a shell, and verify the actual --help output because the documentation overstates the available options and dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill explicitly instructs the agent to run a Python script that reads inputs and writes output files, yet the metadata declares no permissions. This creates a trust and policy-enforcement gap: a host system may approve the skill under the assumption it has no write capability, while the documented workflow still performs filesystem writes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose promises publication-quality graphical motif logos, but the analyzed behavior indicates the skill may instead generate ASCII output, emit shell commands for an external tool, and write those results to disk. This mismatch is dangerous because users and orchestrators may grant trust, automate downstream handling, or skip review based on the declared purpose, while the actual behavior can cause unexpected command generation and file output.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal