ClawHub

Attack Surface Mapper

Security checks across malware telemetry and agentic risk

Overview

This skill is a local security-reporting helper that reads expected security logs and writes local reports, with no evidence of hidden network access, credential use, or destructive behavior.

Install only if you are comfortable with local security posture reports being written under .security/surface-map. Keep that directory private, avoid committing generated reports to shared repositories, and review the output before sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documented attack surface list contains 'INTER-AGENT', but getAttackVectorsForSurface() only handles 'INTER_AGENT'. As a result, that entire surface silently produces no attack vectors and is omitted from the coverage matrix, creating a blind spot in the generated security assessment.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill writes JSON reports under a user-controlled target directory without an explicit warning or opt-in. In an agent context, silent filesystem writes can create unexpected persistence, leak sensitive analysis artifacts into repositories or shared workspaces, and overwrite prior reports if naming collides.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The markdown report is also written to disk without clear user-facing notice that a file will be created in the target directory. In automated agent workflows this can leave sensitive security summaries on disk unexpectedly and may overwrite an existing same-day report.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal