ClawHub

Skill Review

Security checks across malware telemetry and agentic risk

Overview

This is a real skill-security scanner, but it lets its LLM-driven analysis run unrestricted shell commands while reviewing untrusted skill packages.

Install or run this only inside a disposable, network-restricted sandbox with no sensitive files or credentials beyond a limited model API key. The scanner's purpose is legitimate, but its LLM agent can run arbitrary shell commands despite read-only wording, so do not point it at private repositories or run it on your normal workstation until that shell tool is removed or technically sandboxed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill launches an LLM agent with a bash-capable tool over the user-supplied skill directory, which gives the model the ability to execute arbitrary shell commands during a scan. For a security review tool, read-only inspection may be justified, but unrestricted shell execution materially increases risk because prompt injection or model error could cause file modification, exfiltration, or execution of untrusted project code.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The Bash tool advertises a narrowly constrained, read-only interface, but the implementation passes the supplied string directly to execSync, which invokes a shell and permits arbitrary command execution. That means a caller, or any prompt-injected content that influences tool use, can run destructive commands, exfiltrate data, access network resources, or execute payloads despite the stated safety policy.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This skill is for security review of packages, but it exposes a general-purpose shell execution tool that is far broader than required for its mission. In an agent setting, unnecessary shell access significantly increases attack surface because malicious skill content, prompt injection, or model error can turn the tool into a host-level command runner inside the skill directory.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool sends skill contents and pre-scan results to an external agent/model for analysis, which can expose proprietary code, secrets, or sensitive files from the scanned package to a third-party service. In a security scanner context this is especially important because users may assume analysis is local unless clearly told otherwise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool logger records full bash commands and serialized tool arguments verbatim, which can expose secrets embedded in command lines, file paths, tokens, credentials, or sensitive prompt/tool inputs to logs. In a security-review skill, this is especially risky because analyzed content and execution context may already contain sensitive material, so logging increases the chance of unintended disclosure even if there is no active attacker.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The debug helper returns provider metadata, API identifiers, error details, content type information, and a preview of assistant text, which may contain sensitive model output or internal operational details. Although this is framed as debugging support, exposing these fields without sanitization can leak confidential prompts, findings, or backend information if the object is logged, surfaced to users, or sent to telemetry.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal