ClawHub

Nia

Security checks across malware telemetry and agentic risk

Overview

Nia appears to be a legitimate cloud indexing/search skill, but it can upload local files, dependency manifests, and database connection/query data to Nia without strong warnings or confirmation.

Review before installing. Use this only if you are comfortable sending selected project files, manifests, saved context, and possible database credentials/query data to Nia. Avoid indexing folders with secrets, use least-privilege read-only database credentials, protect the API key file, and require explicit user approval before create, sync, from-db, preview-db, advisor, deps, context-save, delete, or rename commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes clear network and shell-driven capabilities but does not declare permissions or otherwise bound those capabilities for the user. In an agent setting, this reduces transparency and can lead to unexpected outbound requests, indexing, deletion, or other side effects without an explicit trust/approval model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented description understates the actual power of the skill: beyond search/indexing, it can perform destructive management actions, web/deep research, autonomous job execution, database import, context sharing, and usage retrieval. This mismatch is dangerous because users or calling agents may grant trust based on a narrower description than the real behavior, increasing the chance of over-privileged or privacy-impacting use.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script is presented as handling local folder indexing, but it also accepts database connection strings and arbitrary queries, then forwards them to a remote API. That materially expands the trust boundary: users may unintentionally transmit sensitive credentials, SQL text, and query-derived data to an external service, which is a real security/privacy risk in a tool otherwise framed around local folders.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to store a long-lived API key in a plaintext file under their home directory without any warning about credential sensitivity, file permissions, rotation, or safer alternatives. While common in CLI tooling, this increases the risk of accidental disclosure through backups, misconfigured permissions, local malware, shared accounts, or support/debug output.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports indexing local folders and importing database query results, which can transmit sensitive source code, credentials, proprietary documents, or database contents to a remote API. Because the documentation does not warn about this data flow or require careful scoping, an agent could exfiltrate sensitive local or database data under the guise of normal indexing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads the full contents of each user-supplied local file and includes them in the JSON request sent to the remote advisor endpoint. Because the script does not prominently warn at runtime that file contents will be transmitted off-host, users may unintentionally exfiltrate secrets, proprietary code, credentials, or personal data contained in those files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The analyze command reads the full local manifest file and sends its contents to a remote API endpoint. Even if this is the intended product behavior, the script gives no explicit warning or confirmation that local project metadata will leave the machine, which can expose private package names, internal registry references, repository structure, or other sensitive dependency information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The subscribe command uploads the manifest contents to a remote service to auto-index dependency documentation, again without explicit disclosure at execution time. In a developer tooling context, manifests may reveal internal services, private dependencies, and technology stack details, so silent transmission increases the risk of unintended data exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upload command sends a local file and an authorization bearer token to a remote endpoint using curl, but the script does not prominently warn the user that a local file is being uploaded off-host. This is particularly sensitive because the command combines file exfiltration with authenticated access, increasing the chance of accidental disclosure of proprietary dependency data under a valid account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The create command scans a local directory, reads file contents, and posts them to a remote endpoint without any explicit warning, preview, or confirmation about data transmission. In a tool operating over local folders, this can cause inadvertent exfiltration of source code, secrets, credentials, proprietary documents, or personal data from the user's machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sync command re-scans a local directory and retransmits file contents to the remote service without any explicit warning or confirmation. This increases the chance of repeated leakage as newly added secrets or sensitive files may be silently uploaded during routine synchronization.

Missing User Warnings

High
Confidence
98% confidence
Finding
The from-db command accepts a raw connection string and arbitrary query, packages them into JSON, and sends them to a remote service. This can expose database credentials, internal hostnames, schema details, and potentially sensitive query results to an external system, which is especially dangerous because database data often contains high-value confidential information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The preview-db command sends connection details, query text, and optional schema parameters to a remote endpoint merely to preview data. Even preview workflows can leak credentials and sensitive business data, and users may underestimate the risk because 'preview' implies limited impact while still crossing a major trust boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script transmits user-provided queries and potentially sensitive metadata such as repository identifiers, document sources, and local folder paths to a remote API via nia_post without any explicit user warning or consent prompt in this code path. In a tool designed to index local folders and repositories, this increases the risk of accidental data disclosure because users may not realize that search context and local resource metadata are being sent off-host.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
All scripts are in `./scripts/` and use `lib.sh` for shared auth/curl helpers. Base URL: `https://apigcp.trynia.ai/v2`

Each script uses subcommands: `./scripts/<script>.sh <command> [args...]`
Run any script without arguments to see available commands and usage.

### sources.sh — Documentation & Data Source Management
Confidence
82% confidence
Finding
Run any script

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal