ClawHub

Kleo Static files

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly coherent for static hosting, but its install path runs unpinned remote code as administrator and its helpers can publish or delete hosted content without built-in safeguards.

Review the remote installer before running it, preferably pin it to a trusted commit or use a manual install on a test host. Only give this skill an API key in an environment where it is allowed to publish, overwrite, and delete hosted files, and require explicit confirmation before uploads, `--overwrite`, file/site deletion, `clean-deploy`, or sharing sensitive files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents destructive deletion commands (`sf files ... delete` and `sf sites delete`) without any warning about irreversible data loss, confirmation prompts, or backup guidance. In an agent context, this increases the chance of accidental destructive actions, especially if commands are executed from natural-language requests without explicit user confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The protected file-sharing workflow recommends sharing sensitive files using basic auth and even shows credentials being shared alongside the URL, but it does not warn about weak password practices, credential reuse, logging exposure, or safer alternatives. This can lead users or agents to expose sensitive content with easily compromised credentials or mishandle secrets in chats, shells, and automation logs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The quick-install command pipes a remotely fetched script directly into a root shell via `sudo bash`. That creates a clear supply-chain and integrity risk: if the remote content, hosting account, repository, or network trust chain is compromised, arbitrary code will execute immediately with full privileges.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manual install section includes fetching remote installation/configuration content and piping it to shells or privileged tools without warning or verification. Even if common in setup guides, this still exposes users to arbitrary code or configuration injection if the upstream source is tampered with.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The clean-deploy helper performs an unconditional site deletion before recreating it, with no confirmation prompt, dry-run, or safeguard against targeting the wrong site. In an agent context, this increases the chance of accidental destructive actions and service disruption from malformed inputs, mistaken site names, or overbroad automation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The share command uploads a specified local file to a remote hosted site immediately and prints a public URL, without warning the caller about data transfer or exposure risks. In an AI-agent workflow, this is dangerous because the agent may be induced to exfiltrate sensitive local files or user data through a convenience command that appears harmless.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal