ClawHub

sjht-server-audit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate server-audit skill, but it can collect sensitive remote host details over SSH and store them locally with weak disclosure and scoping.

Install only if you want an agent to perform deliberate SSH-based security audits of servers you administer. Treat outputs as sensitive, confirm before running against any host, avoid use on shared workstations, and delete or protect generated temporary audit files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises very broad trigger conditions such as general 'server check' and environment investigation requests, which can cause it to activate for routine server-help tasks that do not clearly require a remote security audit. In this context, over-broad invocation is risky because the skill performs SSH-based inspection of remote hosts and may expose sensitive system, service, and security configuration data when a narrower troubleshooting skill would have been more appropriate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script collects extensive sensitive host data over SSH and writes it to a local temporary file, including running services, listening ports, SSH settings, failed login history, cron jobs, process lists, and web/server configuration details. Although this appears intended for legitimate administration, storing such reconnaissance data locally without an explicit warning, consent prompt, retention control, or permission hardening increases exposure if the operator workstation is shared, compromised, or logs are later exfiltrated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal