ClawHub

公众号素材库 & 预设包

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but importing a preset bundle can automatically add or overwrite repository-level credentials, and that sensitive behavior is inconsistently disclosed.

Review any .aws bundle before importing, run --dry-run first, keep a backup of aws.env, and avoid --allow-any-host unless you fully trust the source. Treat bundle-provided credentials as untrusted until you verify the exact keys and values you intend to use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The capability disclosure explicitly says all writes are confined to `.aws-article/`, but the same document states that importing a bundle writes `aws.env` and backup files at the repository root. This inaccurate boundary description can cause users and automated reviewers to underestimate the blast radius of importing untrusted `.aws` bundles, especially since those writes affect secrets and application behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The importer performs secret-management side effects by extracting credentials from an untrusted package and writing them into repository-root aws.env, which is broader than a normal preset import operation and only partially disclosed in code comments rather than the skill manifest. Because the package may be downloaded from a remote URL, a crafted bundle can silently seed or replace operational credentials and change downstream system behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This function implements full credential update capability, including adding, overwriting, and backing up secrets in aws.env, even though the script's primary purpose is preset import. That expands the attack surface from file import into credential manipulation, allowing a malicious or compromised bundle to redirect API usage, impersonate services, or cause denial of service by replacing valid keys.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal