ClawHub

Advanced ML Classification Skill

Security checks across malware telemetry and agentic risk

Overview

This ML skill is mostly coherent, but it can automatically run remotely generated Python code locally and use an OpenAI key without enough user control or safety boundaries.

Install only in an isolated environment or container, avoid sensitive datasets, and unset OPENAI_API_KEY unless you intentionally want OpenAI calls. Treat generated code as untrusted and review it before relying on results; clean up temporary CSV files after using the Streamlit upload flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

exec() call detected

High
Category
Dangerous Code Execution
Content
namespace: Dict[str, Any] = {}

        try:
            exec(code, namespace)  # noqa: S102
            train_fn = namespace.get("train_and_evaluate")
            if not callable(train_fn):
                raise ValueError("生成代码中未定义 train_and_evaluate 函数。")
Confidence
99% confidence
Finding
exec(code, namespace) # noqa: S102

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that imply environment access and file-writing behavior, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a host may approve or sandbox the skill based on incomplete metadata, while the skill still performs higher-risk actions such as writing generated code or other artifacts to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates the actual behavior: beyond local ML evaluation, the skill may call external OpenAI services, generate executable code, perform broader automation, and launch a local web app/browser. This mismatch is dangerous because users and orchestrators cannot accurately assess data egress, code-execution, and UI-launch risks before enabling the skill, especially when datasets may contain sensitive industrial data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill silently reads OPENAI_API_KEY from the environment and enables outbound calls to external LLM services, even though the stated purpose is local ML classification. This expands the trust boundary and can expose credentials and workflow metadata to a third party without clear necessity or disclosure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The implementation sends algorithm names and generated-code prompts to OpenAI for code synthesis, but this remote behavior is not disclosed by the skill description. Even if raw datasets are not directly uploaded in this path, undisclosed external processing changes the privacy and supply-chain risk profile of the skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code path combines remote code synthesis with immediate execution in the host process, which is far beyond what a classification helper needs. In skill context, this is more dangerous because the feature is framed as routine ML automation, lowering operator suspicion while granting arbitrary execution capability.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The manifest advertises benchmarking and interpretation, but the code introduces hidden capabilities: remote code synthesis and arbitrary code execution. This mismatch is security-relevant because users may grant the skill access under false assumptions about its behavior and risk surface.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill transmits result summaries and error messages to GPT-3.5 for interpretation without disclosing this in the description. Errors and performance summaries can contain sensitive operational details, library paths, model metadata, or environment hints that users may not expect to leave the system.

Missing User Warnings

High
Confidence
98% confidence
Finding
Executing dynamically generated code without any user-facing warning deprives operators of informed consent around a highly privileged action. The absence of disclosure increases the chance this dangerous behavior is triggered in trusted environments containing secrets, data, and network access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill sends model scores and error details to an external API without a clear warning, which is a transparency and data-handling issue. In practice, error text can reveal environment information and operational context that should not be exported silently.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The app collects an OpenAI API key and passes it into downstream skill execution, but the UI provides no notice that the credential may be transmitted to an external service or how it will be stored/used. In a local ML workflow, users may reasonably assume everything runs offline; that mismatch can lead to unintended credential disclosure or external data transfer when interpretation features invoke remote APIs.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The script automatically upgrades pip, installs dependencies, and executes local Python programs without any prompt, warning, or dry-run step. In a skill package context, this increases supply-chain and arbitrary code execution risk because dependency installation and script execution can run attacker-controlled code immediately when a user launches the demo.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal