ClawHub

Linux installer

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Linux app installer that can make real system changes, but its behavior is purpose-aligned and gated by explicit command flags rather than hidden automation.

Install only on Linux, review the resolved source, package ID, and exact commands before approving, and approve sudo prompts only when they match the app you asked for. Keep unsafe community installs disabled unless you have independently reviewed the package source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not launch_steps:
        raise RuntimeError("No launch command is defined for this candidate.")
    expanded = [expand_env(part) for part in launch_steps]
    process = subprocess.Popen(
        expanded,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.DEVNULL,
Confidence
95% confidence
Finding
process = subprocess.Popen( expanded, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, start_new_session=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
raise RuntimeError("No install steps are defined for this candidate.")
    for step in steps:
        expanded = [expand_env(part) for part in step]
        result = subprocess.run(expanded, text=True, check=False)
        if result.returncode != 0:
            raise RuntimeError(
                f"Install command failed with exit code {result.returncode}: {shell_join(step)}"
Confidence
97% confidence
Finding
result = subprocess.run(expanded, text=True, check=False)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest says the skill resolves the safest supported source and returns install/launch/remove commands, but the implementation also performs installs, launches, and uninstalls itself. That mismatch is dangerous because callers may treat the skill as informational while it actually performs privileged, state-changing operations on the local machine.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The alias "code" is extremely generic and may cause unrelated user requests to resolve to Visual Studio Code. In an installer skill that can trigger package installation, ambiguous resolution can lead to unintended software installation and command generation without the user clearly requesting that app.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The alias "element" is a common English word and can collide with many ordinary requests unrelated to the Element chat client. In a skill that maps free-form input to install commands, this increases the chance of unintended package selection and downstream execution guidance.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The alias "signal" is broad and may match common conversational use unrelated to Signal Desktop. Because the skill is designed to choose software automatically, this ambiguity can misroute benign requests into software installation actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal