ClawHub

Python Auto Dev

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Python automation skill, but it needs Review because its test and optimization scripts can turn user-controlled paths into Windows shell commands.

Install only in a dedicated Windows conda environment and use it on trusted project files. Avoid unusual or untrusted path names until the scripts stop using cmd.exe with joined command strings, and inspect generated code before running tests or profiling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
conda_activate_cmd = f'call {DEFAULT_CONDA_PATH} activate {DEFAULT_ENV}'
    full_cmd = f"{conda_activate_cmd} && {' '.join(command)}"

    proc = subprocess.run(
        ["cmd.exe", "/c", full_cmd],
        capture_output=True,
        text=True,
Confidence
95% confidence
Finding
proc = subprocess.run( ["cmd.exe", "/c", full_cmd], capture_output=True, text=True, cwd=cwd, env=os.environ.copy() )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
full_cmd = f"{conda_activate_cmd} && {' '.join(command)}"

    # Run via cmd.exe
    proc = subprocess.run(
        ["cmd.exe", "/c", full_cmd],
        capture_output=True,
        text=True,
Confidence
95% confidence
Finding
proc = subprocess.run( ["cmd.exe", "/c", full_cmd], capture_output=True, text=True, cwd=PROJECT_DIR, env=os.environ.copy() )

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This script intentionally executes the target Python file under `cProfile` and also runs external developer tools, which means analysis of an untrusted file results in code execution. That is dangerous because a user expecting static optimization help may instead run attacker-controlled Python with the analyst's privileges and environment. The skill context increases risk because 'optimization' sounds like analysis, but `--run-profile` causes real execution.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes automatic code generation and storage under a fixed local path but does not clearly warn that it will write files to a hard-coded directory on the host. This can surprise users, overwrite existing content, leak sensitive generated artifacts into an unintended location, or create persistence on the local machine without explicit informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that scripts are called directly and handle conda activation internally, but it does not prominently warn that it will execute tests and auxiliary scripts automatically in the local conda environment. Running generated or modified code and test suites on the host can trigger arbitrary code execution, dependency abuse, filesystem changes, or network activity, especially because the workflow includes debugging and patching steps.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Profiling the target file with `python -m cProfile ... <file>` executes the file, but the script provides only a mild 'may take time' hint rather than a clear warning that arbitrary code will run. If a user profiles an untrusted Python file, that file can perform any actions available to the current user account. In a code-assistance skill, this hidden execution behavior is especially risky.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is the core command-injection issue: user-controlled values flow into `command`, then into `full_cmd`, then into `cmd.exe /c` without escaping. In this testing utility, the inputs are expected to be paths, but the shell will treat crafted path strings as control syntax, making the context more dangerous because the tool is likely run in a developer environment with broad filesystem and credential access.

Unvalidated Output Injection

High
Category
Output Handling
Content
full_cmd = f"{conda_activate_cmd} && {' '.join(command)}"

    # Run via cmd.exe
    proc = subprocess.run(
        ["cmd.exe", "/c", full_cmd],
        capture_output=True,
        text=True,
Confidence
93% confidence
Finding
subprocess.run( ["cmd.exe", "/c", full_cmd], capture_output

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal