ClawHub

Nm Leyline Authentication Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only authentication-pattern skill with expected credential and CLI guidance, but users should copy its examples carefully.

Install/use this as guidance, not as hardened production code. Before copying examples, replace free-form service command execution with an allowlist of trusted CLIs, prefer short-lived or least-privilege credentials, avoid committing .env files, clear caches on shared systems, and review any external interactive_auth.sh script before sourcing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The OAuth example invokes a local executable directly from the untrusted `service` parameter via `subprocess.run([service, "auth", "login"])`. While list-style invocation avoids shell metacharacter injection, it still allows execution of any attacker-controlled binary name or path, which can lead to arbitrary code execution if `service` is influenced by user input or PATH hijacking. In an authentication skill, this is especially risky because callers may assume the operation is security-sensitive and trustworthy.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The token refresh example has the same flaw: it executes a local program based on the attacker-controllable `service` value using `subprocess.run([service, "token", "refresh"])`. This can be abused to run arbitrary local executables or malicious lookalikes earlier in PATH, producing code execution in a security-relevant authentication workflow.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document claims the module does not store tokens, yet earlier sections describe `token_cache.json`, session files, and CLI-managed credential files on disk. This is dangerous because users may make trust decisions based on inaccurate security claims and unknowingly persist sensitive authentication material locally.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill accepts a dynamic `service` value and uses it as the executable in multiple `subprocess.run` calls, which enables execution of arbitrary local binaries rather than limiting behavior to a known authentication verifier. In the context of an agent skill, this expands capability from documentation/testing patterns into local command execution, creating command-execution risk if untrusted input can influence the service name or if a malicious binary is present in PATH.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Although the code uses argument-list `subprocess.run` rather than a shell, it still launches an arbitrary executable derived from `service`, which is not clearly constrained by the authentication-pattern purpose. That means the skill can be repurposed to run unintended local programs under the guise of a smoke test.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation promotes token caching and session persistence but omits any warning about where tokens are stored, their file permissions, encryption, expiration handling, or multi-user host risks. In an authentication skill, that omission is more dangerous because users may adopt insecure credential storage defaults and leave reusable tokens exposed on shared systems or CI runners.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The overview promotes token caching and session persistence but does not immediately warn that authentication state and optional token information may be written to disk. In an authentication skill, omission of persistence details is security-relevant because operators may use it on shared workstations, ephemeral runners, or sensitive environments without understanding the local exposure created.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The AWS flow explicitly offers manual entry of long-lived access keys and exports them into the shell environment without warning about persistence, shell history/process exposure risks, or preference for short-lived credentials. This is dangerous because long-lived cloud credentials materially increase blast radius if leaked and are especially risky in interactive shells, shared hosts, or logged environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown presents subprocess-based verification flows as normal patterns without warning that they execute local CLI commands and may contact external services. In an agent-skill setting, lack of disclosure increases the chance that users or downstream systems will invoke these patterns without understanding the local execution and credential-use implications.

Unvalidated Output Injection

High
Category
Output Handling
Content
def smoke_test(service: str) -> bool:
    """Test auth with minimal request."""
    try:
        result = subprocess.run(
            [service, "-p", "Respond with OK"],
            capture_output=True,
            timeout=30
Confidence
84% confidence
Finding
subprocess.run( [service, "-p", "Respond with OK"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
```python
def test_model_access(service: str, model: str) -> bool:
    """Verify access to specific model."""
    result = subprocess.run(
        [service, "--model", model, "-p", "ping"],
        capture_output=True
    )
Confidence
85% confidence
Finding
subprocess.run( [service, "--model", model, "-p", "ping"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
# Check auth status
    if checks["cli_available"]:
        result = subprocess.run([service, "auth", "status"], capture_output=True)
        checks["auth_valid"] = result.returncode == 0

    # Check model access
Confidence
87% confidence
Finding
subprocess.run([service, "auth", "status"], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal