ClawHub

Synapse Code

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate workflow helper, but it needs Review because it combines broad local code execution with a scope that expands beyond its code-development description.

Install only if you intend to grant a workflow skill permission to run local Python/npm tools, execute configured pipeline scripts, index project knowledge, and write persistent project logs. Review config.json before use, keep pipeline.workspace and paths.pipeline_script pointed at trusted files, avoid using the broad analytics/research modes with sensitive databases, APIs, cookies, or private documents unless you have scoped access deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Run gitnexus analyze --force."""
    gitnexus_bin = get_gitnexus_bin()
    try:
        result = subprocess.run(
            [gitnexus_bin, "analyze", "--force"],
            cwd=project,
            capture_output=True,
Confidence
86% confidence
Finding
result = subprocess.run( [gitnexus_bin, "analyze", "--force"], cwd=project, capture_output=True, text=True, check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True

    try:
        result = subprocess.run(
            ["python3", "pipeline.py", "new", project_name],
            cwd=pipeline_workspace,
            capture_output=True,
Confidence
77% confidence
Finding
result = subprocess.run( ["python3", "pipeline.py", "new", project_name], cwd=pipeline_workspace, capture_output=True, text=True, ch

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_progress(0, total_stages, "执行 REQ 阶段...")

        last_shown_stage = 0
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
        elapsed = time.time() - start_time

        if result.returncode == 0:
Confidence
90% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_step(1, "REQ - 需求分析", "running")
        log_progress(0, total_stages, "开始执行 Pipeline...")

        result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800)  # 30 分钟超时
        elapsed = time.time() - start_time

        if result.returncode == 0:
Confidence
90% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=1800) # 30 分钟超时

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True  # No summary to log

    try:
        result = subprocess.run(
            ["python3", str(auto_log_script), str(pipeline_summary)],
            capture_output=True, text=True, timeout=60
        )
Confidence
82% confidence
Finding
result = subprocess.run( ["python3", str(auto_log_script), str(pipeline_summary)], capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation clearly instructs use of shell commands, project initialization, file creation, and pipeline execution, yet the manifest does not declare permissions for file read, file write, or shell access. This creates a capability transparency gap: users and orchestration layers may invoke a skill with broader effective power than is explicitly disclosed, increasing the risk of unintended command execution or filesystem changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The guide documents broad capabilities such as copywriting, design, data analysis, translation, and research that materially exceed the skill’s stated purpose of a code-development workflow engine. This scope expansion can cause the orchestrator or users to invoke the skill for unrelated high-trust tasks, increasing prompt-injection surface, data exposure, and unauthorized actions outside the intended security boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The document materially expands the skill from code-development into writing, design, analytics, translation, and research, which exceeds the declared manifest scope. This kind of scope drift is dangerous because it can cause the agent to activate in contexts users and policy systems do not expect, increasing the chance of unintended actions, misrouting, or bypass of narrower safety controls tied to the advertised purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The auto-detection logic actively routes user input into non-development categories, operationalizing the scope expansion rather than merely documenting it. This is risky because ambiguous prompts could trigger unexpected workflows outside the skill's stated purpose, reducing transparency and making downstream safeguards or user consent checks less reliable.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The configuration enables multiple non-code operational modes and agent sets, showing the broadened behavior is intended to be deployed, not just brainstormed. In skill-based systems, shipping capabilities beyond the declared purpose can undermine trust boundaries, confuse invocation logic, and expose users to actions or content handling pathways that have not been properly authorized or reviewed.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document materially expands the advertised scope of the skill from code-development into writing, design, analytics, translation, and research workflows. This kind of scope drift is dangerous because downstream orchestrators or users may grant broader trust, invoke the skill for unintended tasks, or allow it to handle data classes and actions not covered by the manifest’s declared purpose and review assumptions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The document claims external data acquisition capabilities including database access, API access, web scraping, and literature gathering without those powers being reflected in the skill metadata. Undeclared external access is risky because it can mislead operators about what the skill may retrieve or expose, increasing the chance of unauthorized data access, scraping of sensitive resources, or overbroad network/database use under a code-focused trust model.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest presents the skill as a code-development workflow engine, but the body expands it into writing, design, analytics, translation, and research orchestration. This scope drift weakens trust boundaries and can cause the skill to be selected for tasks far outside the user's expected risk model, potentially granting code-oriented tooling access in contexts that do not require it.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill advertises broad non-code task execution capabilities that are not justified by its stated purpose, effectively turning a code workflow skill into a general-purpose orchestrator. In combination with described shell and file operations, this increases the chance of over-broad invocation, misuse, or policy bypass because unrelated tasks may inherit higher-risk capabilities than necessary.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README advertises multiple non-code agent roles and workflows—writing, design, analytics, translation, and research—even though the skill metadata describes a code-development workflow engine. This scope expansion can cause the agent to be invoked in unintended contexts, increasing the chance of over-privileged use, policy bypass through misclassification, and user reliance on capabilities that were not reviewed under the stated manifest purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The scenario configuration and auto-recognition rules claim automatic handling of broad task classes far beyond code development, including writing, design, analytics, translation, and research. This is dangerous because downstream orchestrators may activate agents for sensitive or unreviewed workflows based solely on keywords, creating a mismatch between declared purpose and actual behavior that weakens trust boundaries and security assumptions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata says this is a code-development workflow engine, but the orchestrator broadens itself into unrelated domains like writing, design, analytics, translation, and research. This creates scope drift and unsafe overreach: a user invoking a coding skill could trigger actions and outputs outside the expected trust boundary, increasing the chance of unauthorized data use, improper task routing, and policy bypass through non-code sub-agents.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The cross-scene collaboration section explicitly instructs the orchestrator to coordinate writing, design, translation, research, and analytics work under a code-oriented skill. That mismatch makes the skill more dangerous in context because users and platform controls may assume software-delivery scope, while the skill can actually fan out into unrelated domains and process broader classes of content or requests.

Unvalidated Output Injection

High
Category
Output Handling
Content
# Check freshness via gitnexus status
    gitnexus_bin = get_gitnexus_bin()
    try:
        proc = subprocess.run(
            [gitnexus_bin, "status"],
            cwd=project,
            capture_output=True,
Confidence
84% confidence
Finding
subprocess.run( [gitnexus_bin, "status"], cwd=project, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# Try to get phase from pipeline status
    try:
        proc = subprocess.run(
            ["python3", "pipeline.py", "status", project_name],
            cwd=pipeline_workspace,
            capture_output=True,
Confidence
87% confidence
Finding
subprocess.run( ["python3", "pipeline.py", "status", project_name], cwd=pipeline_workspace, capture_output

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal