ClawHub

Terabox Storage

Security checks across malware telemetry and agentic risk

Overview

This skill matches its TeraBox storage purpose, but normal use can silently self-update the skill and replace local executables, so it needs careful review before installation.

Install only if you trust the publisher and TeraBox update infrastructure. Review install and update commands before they run, consider disabling automatic update checks with --no-check-update where possible, avoid exposing ~/.config/terabox/config.json, and confirm exact paths before uploads, downloads, transfers, moves, renames, or public share creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands extensively (`bash`, `terabox`, installer/update scripts) but does not declare corresponding permissions. This creates a transparency and governance gap: users or platforms may not realize the skill can execute local commands, download binaries, and modify files, which increases the chance of unsafe execution in environments that rely on declared permissions for enforcement or review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill claims to manage TeraBox storage operations, but its documented behavior includes installing a remote executable and silently self-updating from external sources before commands run. That substantially expands the trust boundary from file operations to arbitrary code supply-chain risk, because a compromised CDN, update API, or package could lead to execution of attacker-controlled code and persistent modification of the local environment.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation states that all operations are restricted to an application sandbox, but the skill's described capabilities include authenticating to a remote cloud service and performing upload, download, share, and transfer actions that affect external resources. This misleading safety claim can cause users or downstream agents to underestimate the real scope of side effects, increasing the chance of unsafe authorization, data exposure, or destructive remote actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented `update`, `update apply`, and `update rollback` capabilities materially expand the skill from file-management into software lifecycle control. That increases attack surface because an agent using this skill could change the installed CLI version or trigger code retrieval/execution paths unrelated to the user's storage task, creating supply-chain and unexpected state-change risk.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
Automatic update checks on every command cause unsolicited network activity outside the core storage action the user requested. While not inherently code-executing by itself, this creates privacy and behavioral surprise, and it can interact with remote infrastructure in ways the skill does not justify or warn about.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script claims to manage skill-level updates, but it also overwrites the local `terabox` executable in `~/.local/bin`. This expands the trust boundary from updating local skill assets to replacing an executable that may be invoked outside the skill, creating a supply-chain risk if the downloaded archive or metadata is compromised.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header comments state that CLI binary updates are handled by the CLI's own updater, but later logic still installs a new `terabox` binary. This mismatch can mislead reviewers and users about the script's actual capabilities, reducing scrutiny around behavior that modifies executables.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Using `Tera` as an activation alias is overly broad and can match benign conversation unrelated to TeraBox. In an agent setting, unintended activation is risky because this skill can trigger shell commands, login flows, update routines, and cloud operations based on misclassified user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference documents recursive upload/download of directories without warning about bulk data transfer, overwrite/storage-consumption risks, or the sensitivity of local/cloud paths. In an agent context, a broad or mistaken path could exfiltrate large local datasets to cloud storage or pull large remote datasets locally with significant privacy, cost, and disk-usage consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`share-save` and `share-download` write data into the user's cloud account or local filesystem, but the documentation does not emphasize that these are state-changing import operations. In an agent workflow, this can lead to unreviewed ingestion of untrusted or large remote content, causing storage abuse, malware staging, or accidental account modification.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Documenting automatic update checks without a privacy or network-activity warning is a real safety issue because users may not expect every command to contact update infrastructure. In agent-driven environments, hidden background network access is particularly risky because it weakens least-surprise and can leak usage metadata.

Self-Modification

High
Category
Rogue Agent
Content
# User confirmation
    if [ "$auto_yes" != "yes" ]; then
        echo -n -e "${YELLOW}Update Skill to v${remote_version}? [y/N] ${NC}"
        read -n 1 -r
        echo
        if [[ ! $REPLY =~ ^[Yy]$ ]]; then
Confidence
96% confidence
Finding
Update Skill

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal