ClawHub

Solidity Guardian

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible Solidity scanner, but its Slither wrapper can run shell commands from an unsafe project path and optionally installs unpinned external tooling.

Review before installing. Use the Guardian-only analyzer or run the skill in a sandbox, avoid --install-slither unless you intentionally want to install Slither into the local Python environment, and do not let an agent choose arbitrary or unusual project paths until the Slither invocation is changed to safe argument-based execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill metadata and description present the tool as a Solidity security analyzer, but the documented behavior also includes installing and invoking Slither via system package managers and subprocesses. This is a real transparency and supply-chain risk: users may run the skill expecting local pattern matching only, while it can modify the host environment and pull external code, increasing attack surface and violating least surprise.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill can install external software by invoking pipx/pip3/python3 -m pip directly from the host environment. Even though this is framed as convenience for Slither setup, it modifies the system outside the core analysis function and can introduce unreviewed code, dependency confusion risk, and unexpected host changes in environments where the skill is expected to be read-only.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code builds a shell command with a user-supplied projectPath and passes it to execSync, which invokes a shell. If projectPath contains shell metacharacters, an attacker could achieve command injection and run arbitrary commands under the user's privileges; additionally, running external tooling on attacker-controlled projects can trigger risky compiler/build behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic installation executes package-manager commands that change the host system, but the only notice is a generic log message rather than an explicit warning and confirmation about system modification. In agent or automation contexts, this can surprise users, alter environments, and pull remote code without a clear trust boundary.

Missing User Warnings

High
Confidence
98% confidence
Finding
Shell execution uses unvalidated projectPath in a command string and provides no disclosure that analyzing a path may spawn subprocesses against untrusted input. This creates a direct command-injection surface and, even absent injection, exposes users to the risks of invoking external analysis tools on potentially malicious repositories.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The --output parameter is written with fs.writeFileSync to any path supplied by the user, with no overwrite checks or safety prompt. In automated or multi-user contexts this can clobber existing files, overwrite sensitive paths the process can access, or be abused via symlink targets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal