Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Sequence Alignment
Security checks across malware telemetry and agentic risk
Overview
The visible skill bundle is mostly coherent, but it includes high-impact admin and review helpers with broad execution authority that deserve human review before installation.
Install only in a ClawHub maintainer or Convex development environment where you expect these powers. Review the moderation commands carefully, use confirmation and audit logging for staff actions, and consider running the autoreview helper with its no-yolo option or disabling fallback reviewers when repository diffs should not leave the environment.
SkillSpector
By NVIDIA
Vulnerability Patterns
- MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)
VirusTotal
66/66 vendors flagged this skill as clean.