ClawHub

Obscure Package Master

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent package-mirroring purpose, but it downloads arbitrary PyPI source and turns it into persistent local agent skills without a clear approval boundary.

Install only if you want an agent to download package source and create persistent local skills. Before running it, explicitly choose the package, version, and output path, prefer a project-local directory over a global provider skills folder, and treat generated SKILL.md/docstrings as untrusted package text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to read environment variables, execute a Python script, and write generated files into provider-specific skill directories, yet it declares no permissions or user-consent boundary. This creates a capability transparency failure: the agent may perform shell execution and filesystem modification implicitly, increasing the risk of unauthorized local changes, package-fetch side effects, or misuse of ambient credentials exposed through the environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script inspects provider-specific credential environment variable names to infer which AI platform is active, even though package mirroring does not require reading credential presence. In a skill context, this expands the script's scope into environment reconnaissance and can reveal sensitive platform usage or steer installation into provider-specific locations without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code is designed to write generated content into provider-specific skill directories under the user's home directory, which goes beyond producing a local mirror and effectively performs installation into agent-integrated locations. In this skill setting, that increases risk because downloaded package content is repackaged and placed where an AI agent may later consume it automatically.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly instructs the agent to download arbitrary packages from PyPI and write a mirrored copy into local skill directories, but it does not warn about the trust boundary change, network access, disk writes, or the possibility of importing hostile package content into the agent's working context. In a skill system, normalizing retrieval of unvetted third-party code into persistent local references can expand the attack surface and make later prompt/context poisoning or unsafe file interactions more likely.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger criteria are broad and subjective, such as activating when uncertainty exceeds 5% or when documentation feels sparse, which can cause the skill to run in many ordinary situations without a clear necessity threshold. In combination with the skill's ability to execute scripts and write files, ambiguous activation materially raises the chance of unnecessary privileged actions being taken without strong user intent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly directs the agent to run a Python script and create a new installed skill under a filesystem path without any user-facing warning or approval gate. That is dangerous because it normalizes arbitrary local code execution and persistent file creation, potentially pulling package content and modifying agent behavior through newly installed skills in trusted directories.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal