ClawHub

backend developer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent backend API template skill with some code-quality caveats, not evidence of hidden or malicious behavior.

This skill is reasonable to install as an instruction and template pack. Before copying generated code into production, review authorization on every route, remove or tightly control hard-delete helpers, complete validation schemas, and fix the AppError/status contract so errors are handled consistently.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill documents `ERROR_CODE` objects with `httpStatus`, but the `AppError` class shown does not define an `httpStatus` property, while the error handler calls `res.status(err.httpStatus)`. This mismatch can cause incorrect status handling or fallback 500s, which weakens reliable error semantics and may expose stack traces or internal behavior if downstream code assumes status metadata exists.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The controller guidance says services return `AppError | data`, but the paginated example destructures `{ data, meta }` first and only then checks `if (data instanceof AppError)`, which is logically inconsistent. If a service actually returns an `AppError`, the controller may mis-handle it as a normal object, producing malformed success responses or skipping centralized error handling, which can leak internals or bypass expected authorization/error flows.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal