ClawHub
Back to skill

Security audit

Promptcache

Security checks across malware telemetry and agentic risk

Overview

This prompt-cost skill has a plausible purpose, but its installer makes undisclosed persistent shell changes and sends install telemetry while the declared runtime executable is missing.

Review before installing. Treat this as a Review item unless the publisher adds the missing executable, documents runtime data flows, removes or makes install telemetry opt-in, and asks before editing shell startup files. Avoid using sensitive prompts or real credentials with this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill declares no permissions, yet the analyzer detected shell-capable behavior. Even if that shell use is only for installation, undeclared execution capability violates least-privilege expectations and can mislead users and reviewers about what the skill is allowed to do. In a skill whose stated purpose is cost estimation, hidden or undeclared shell access is more suspicious because it is not obviously necessary to the advertised function.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared behavior is prompt-cache cost estimation, but the analyzed behavior includes symlink creation, shell profile modification, outbound analytics, and prompting for an external API key. That mismatch is dangerous because users may consent to a harmless-seeming utility while the skill performs persistent system changes and network communication unrelated to its core purpose. The context makes this more dangerous, not less, because these side effects are not naturally implied by a simple estimation tool.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer makes an outbound analytics POST during installation even though the skill's stated purpose is prompt-cache cost estimation, not telemetry. Silent network activity at install time creates an undisclosed data flow to a third party and violates least surprise, which is especially risky for users installing local tooling in sensitive environments.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Install-time telemetry is not necessary to perform prompt-caching calculations, so this creates an unnecessary external transmission unrelated to core functionality. In security-sensitive environments, even limited metadata about installed tools can aid inventorying, profiling, or violate policy when sent without consent.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The comment explicitly states that an install ping tracks community installs, but that behavior is not reflected in the stated skill purpose, making the installer misleading. Misleading disclosure reduces user ability to assess trust and can conceal privacy-impacting behavior behind a seemingly harmless install script.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer appends to the user's .zshrc without warning or confirmation, creating a persistent shell environment change. Silent modification of startup files can break user environments, violate admin policy, and establishes a precedent for persistence that users did not knowingly authorize.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer silently issues a background analytics request with no visible warning or opt-in. Even if the payload is small, covert network communication during install is dangerous because it can disclose tool adoption and normalize hidden outbound traffic from local scripts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal