ClawHub

Create MCP Servers using Meta-MCP

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate MCPHero setup skill, but it needs review because it connects an AI client to a persistent hosted service and handles secrets without enough safety guidance.

Install only if you trust MCPHero with the prompts, requirements, generated tool definitions, and any credentials used to build or deploy servers. Use least-privilege or short-lived secrets, avoid production credentials where possible, protect any config file containing Authorization headers, and rotate tokens if they are exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs users to submit environment variable values and generate bearer tokens through a remote hosted service, but it does not warn that these values may contain secrets and will be transmitted to a third party. In a security-sensitive workflow, this omission can lead users to disclose API keys, tokens, or credentials without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
{
  "mcpServers": {
    "my-server": {
      "url": "https://api.mcphero.app/mcp/<server-id>/mcp",
      "headers": {
        "Authorization": "Bearer <bearer_token>"
      }
Confidence
86% confidence
Finding
https://api.mcphero.app/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal