ClawHub

ZipCracker

Security checks across malware telemetry and agentic risk

Overview

This ZIP recovery skill is coherent, but it needs review because it can crack passwords, install external tools, run long jobs, and write recovered files to disk.

Install only if you need ZIP CTF or explicitly authorized archive recovery. Keep install prompts disabled unless you trust the dependency sources, run it in a contained project directory, choose a disposable output folder, avoid ambiguous third-party archives, and remember that recovered passwords, extracted files, and tool-install artifacts may appear on disk or in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if accept_header:
        ps_script.append("$headers['Accept']='%s'" % accept_header)
    ps_script.append("(Invoke-WebRequest -UseBasicParsing -Headers $headers -Uri '%s').Content" % url.replace("'", "''"))
    proc = subprocess.run(
        [powershell, "-NoProfile", "-Command", "; ".join(ps_script)],
        capture_output=True,
        text=True,
Confidence
79% confidence
Finding
proc = subprocess.run( [powershell, "-NoProfile", "-Command", "; ".join(ps_script)], capture_output=True, text=True, timeout=180, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
% (url.replace("'", "''"), dest_path.replace("'", "''")),
        ]
    )
    proc = subprocess.run(
        [powershell, "-NoProfile", "-Command", ps_script],
        capture_output=True,
        text=True,
Confidence
80% confidence
Finding
proc = subprocess.run( [powershell, "-NoProfile", "-Command", ps_script], capture_output=True, text=True, timeout=1800, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
last_error = ""
    for source_name, cmd in build_pyzipper_pip_install_commands(locale):
        proc = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
83% confidence
Finding
proc = subprocess.run( cmd, capture_output=True, text=True, timeout=1800, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
["cmake", "--build", build_dir, "--config", "Release"],
            ["cmake", "--build", build_dir, "--config", "Release", "--target", "install"],
        ):
            proc = subprocess.run(
                command,
                capture_output=True,
                text=True,
Confidence
76% confidence
Finding
proc = subprocess.run( command, capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
fd, log_path = tempfile.mkstemp(prefix="zipcracker_bkcrack_pw_", suffix=".log")
        os.close(fd)
        with open(log_path, "w", encoding="utf-8", errors="replace") as log_fp:
            proc = subprocess.run(
                cmd,
                stdout=log_fp,
                stderr=subprocess.STDOUT,
Confidence
72% confidence
Finding
proc = subprocess.run( cmd, stdout=log_fp, stderr=subprocess.STDOUT, timeout=timeout, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
fd, log_path = tempfile.mkstemp(prefix="zipcracker_bkcrack_", suffix=".log")
        os.close(fd)
        with open(log_path, "w", encoding="utf-8", errors="replace") as log_fp:
            proc = subprocess.run(
                cmd_attack,
                stdout=log_fp,
                stderr=subprocess.STDOUT,
Confidence
77% confidence
Finding
proc = subprocess.run( cmd_attack, stdout=log_fp, stderr=subprocess.STDOUT, timeout=None, )

Tainted flow: 'cmd' from os.environ.get (line 3171, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
fd, log_path = tempfile.mkstemp(prefix="zipcracker_bkcrack_pw_", suffix=".log")
        os.close(fd)
        with open(log_path, "w", encoding="utf-8", errors="replace") as log_fp:
            proc = subprocess.run(
                cmd,
                stdout=log_fp,
                stderr=subprocess.STDOUT,
Confidence
88% confidence
Finding
proc = subprocess.run( cmd, stdout=log_fp, stderr=subprocess.STDOUT, timeout=timeout, )

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill can autonomously download binaries, install Python packages, and build third-party source code locally. In an agent setting this exceeds the minimal capability needed to analyze ZIPs and creates significant supply-chain, persistence, and host-modification risk if triggered on an untrusted system.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code actively generates and facilitates system package manager commands for dependency installation, including privilege escalation patterns. This broadens the skill from ZIP recovery into host modification, which is risky and unnecessary in many agent deployments.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list is broad enough to match benign support requests such as 'this ZIP won't open' or generic password help, which can cause the skill to activate in situations not clearly limited to authorized CTF or self-owned archives. In context, that is risky because the skill's core behavior is cracking/recovery guidance, so overbroad activation can steer normal user requests into dual-use or unauthorized-access workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The copy explicitly promises automatic extraction after successful recovery but provides no warning that ZIP contents are untrusted and may write files to disk. In practice, this can normalize unsafe handling of hostile archives and increase the chance of path traversal, overwrite, or accidental execution risks in downstream workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The English promotional copy describes password recovery, brute force, CRC32 recovery, and known-plaintext attack workflows without consistently reinforcing that use is restricted to authorized recovery or CTF scenarios. Because this is user-facing listing text, the omission lowers friction for misuse and makes dual-use offensive capability appear generally available rather than constrained.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The listing promises 'Automatic extraction' after recovery, but it does not warn that successful runs may write files to disk. In a ZIP-focused skill, extraction is a normal capability, yet undocumented filesystem modification can surprise callers, increase risk from path traversal or overwrite scenarios, and cause unintended changes in agent environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill offers automatic dependency installation and remote downloads without a strong upfront warning that the host environment will be modified. In agent-assisted contexts, users may not understand that accepting the prompt changes local Python or tool state, increasing the risk of unsafe or unintended modifications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The one-click bkcrack install path downloads, extracts, and places tooling under a managed local directory with insufficient emphasis on safety and persistence implications. This is especially risky because it introduces executable binaries onto the host as part of a skill whose advertised purpose is archive recovery.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal