ClawHub

Tracebit Canaries

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate canary-security purpose, but its broad activation and imperfect disclosures could let an agent start account setup, CLI authentication, credential-store changes, and recurring monitoring in situations where a user expected only security advice.

Review this skill before installing. It is not showing exfiltration or destructive intent, but users should only enable it when they explicitly want Tracebit canaries, and should confirm each step before account creation, CLI install/auth, credential-store placement, heartbeat changes, email access, messaging, or cleanup commands that use sudo or edit credential files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill goes beyond canary deployment and alert handling into account creation, browser-driven signup, OAuth login, and fallback API-key creation. This expands the trust boundary to identity creation and credential handling, increasing the chance of unintended secrets exposure or actions the user did not expect from the skill description.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
Appending recurring checks to `HEARTBEAT.md` changes persistent workspace automation behavior, but that persistence is not clearly disclosed in the manifest description. Hidden or under-disclosed persistence is risky because it can create continuing monitoring behavior after the initial task is complete.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document asserts the skill will never read or modify real credentials, yet its own removal instructions edit ~/.aws/credentials, which is a real credential store. This mismatch is security-relevant because operators and enforcement systems may rely on the stated boundary and underestimate the risk of the removal workflow touching sensitive files.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document states the install/remove flow uses no elevated privileges, but the published removal script invokes sudo rm on the Tracebit binary. That inconsistency can mislead users about privilege requirements and creates a risk that the agent or user will authorize privileged deletion operations under false assumptions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation text is broad enough to match many generic security, hardening, compromise-investigation, or prompt-injection requests even when the user did not ask for Tracebit or for account/CLI setup. Overbroad invocation can cause the agent to initiate signup, auth, file writes, persistent heartbeat changes, or monitoring steps in contexts where the user expected only advice.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal