ClawHub

Aioom

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed memory-cleaning tool, but it can automatically kill local processes and exposes powerful localhost web controls with weak safeguards.

Install only if you explicitly want an automated local process killer. Run it in dry-run mode first, review protected-process patterns, avoid exposing the Web UI beyond localhost, do not enable webhook URLs unless you trust the destination, and treat the dashboard as sensitive because it can reveal process details and terminate applications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module transmits local process-action data to an externally configured webhook, which expands a local memory-management tool into a networked telemetry sender. Even though the feature may be intended for alerting, it creates data egress and privacy risk that is not clearly aligned with a local Windows memory guardian and could leak process names, PIDs, and actions to third parties.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The outbound HTTP request capability is broader than the stated local monitoring purpose and allows the skill to send runtime event data off-host. In a system tool that can observe and act on processes, undisclosed network egress increases the risk of covert telemetry or misuse if configuration is altered or abused.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The page imports executable JavaScript from unpkg.com and jsDelivr at runtime, so a local administrative dashboard depends on third-party infrastructure for code execution. If a CDN, package version, or network path is compromised, an attacker could run arbitrary script in the dashboard context and access sensitive process, config, and control functions exposed by the UI.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The API exposes sensitive state-changing operations with no authentication or authorization: any local user or any web page able to reach the service on localhost can call the config update endpoint to change protections, disable dry-run, and persist those changes to disk. In the context of this skill, that can directly weaken safeguards and facilitate destructive process termination, making the Web GUI materially more dangerous than a read-only monitoring UI.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes automatically terminating processes before OOM, but it does not prominently warn users that this can cause data loss, application crashes, or termination of critical system/user processes. In a memory-management skill that may be invoked under stress conditions ('内存满了', '清理内存'), insufficient warning increases the chance of unsafe deployment or misuse.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match ordinary requests like 'memory is full' or 'clean memory,' which can cause this skill to activate in situations where the user did not explicitly ask to run a process-killing memory tool. In context, this is more dangerous than a harmless info skill because the documented workflow includes launching monitors, opening a web panel, and potentially terminating processes after analysis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This file performs automatic process-killing once memory thresholds are met, but it does not provide a clear upfront warning or confirmation at startup that real processes may be terminated. In a desktop/agent context, that can cause unexpected data loss or disruption if users invoke the skill for monitoring and do not realize it can take destructive action unless dry-run is explicitly enabled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code enumerates all processes and collects potentially sensitive metadata including usernames, full command lines, process names, creation times, and IO statistics. In the context of a memory-monitoring skill, such collection may be functionally relevant, but without clear consent, minimization, or disclosure it can expose private user activity, application usage, and secrets embedded in command-line arguments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code directly executes destructive actions (terminate, kill, renice) based on an AI-derived verdict without any explicit user confirmation or safety interlock in this execution path. In the context of a memory-cleaning skill, misclassification or misuse could terminate legitimate applications or important system processes, causing data loss or service disruption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file implements webhook transmission of process event details without any user-facing disclosure in this module, making silent exfiltration of operational metadata possible. Lack of transparency is especially risky in a host-management tool because users may assume actions and monitoring remain entirely local.

Missing User Warnings

High
Confidence
93% confidence
Finding
The guardian loop automatically executes batch process termination when memory thresholds are met, without any explicit confirmation, consent checkpoint, or hard safety interlock in this file. Because this tool is specifically designed to kill processes, automatic action under load can terminate legitimate applications, causing data loss, service interruption, or destabilization if scoring/protection logic is wrong or manipulated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manual kill endpoints provide direct destructive operations over HTTP without any user confirmation flow, warning banner, or secondary approval in this file. Combined with the lack of authentication elsewhere in the service, these endpoints enable arbitrary process termination through simple requests, which is more severe than a local desktop-only prompt because it is scriptable and remotely triggerable from the local browser context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal