ClawHub

存储清理

Security checks across malware telemetry and agentic risk

Overview

This is a real disk-cleaning skill, but it exposes broad file deletion and local HTTP controls without enough scoping or user protection.

Review carefully before installing. Use this only if you are comfortable with a skill that can scan local folders and run deletion commands. Prefer moving items to the Recycle Bin, inspect every generated command before letting an agent execute it, avoid running the local server, and do not use permanent delete unless you have verified the exact path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and demonstrates filesystem access, environment-variable expansion, report generation, and browser/report launching, but it does not declare corresponding permissions or constraints. This creates a mismatch between what the host may expect and what the skill can actually do, reducing transparency and making destructive behavior harder to govern or sandbox.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script exposes a general-purpose deletion primitive that accepts any caller-supplied path and can permanently remove files or directories, not just vetted junk files. In a disk-cleaner context, this is especially dangerous because users may trust the tool as 'safe,' yet there are no scope restrictions, allowlists, or ownership checks preventing deletion of arbitrary system or user data.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The clean_item interface exposes a 'delete' method that turns the utility into a general-purpose file wiper rather than a narrowly scoped junk cleaner. That capability materially expands abuse potential because any component invoking this script can bypass the Recycle Bin and destroy arbitrary data immediately.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The bulk-clean path trusts any JSON file and deletes every path listed under 'green' without verifying provenance, integrity, or schema beyond basic field access. An attacker or another local process could craft a malicious JSON file that labels arbitrary valuable paths as safe to clean, enabling mass deletion with a single command.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The generated HTML tells the user that a cleanup action has been executed and marks the item as cleaned, but the code only shows an alert and updates the DOM. In a disk-cleaning skill, this deceptive behavior can mislead users into believing sensitive junk or large files were removed when they were not, causing incorrect security or storage assumptions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The /open endpoint lets any local process or webpage that can reach 127.0.0.1 trigger os.startfile() on an arbitrary existing path, which goes beyond disk-cleaning and can launch files, shortcuts, executables, or registered handlers. Because the server enables wildcard CORS and has no authentication or origin checks, this localhost capability can be abused without user confirmation.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The /shutdown endpoint allows any unauthenticated request to terminate the server process via os._exit(0). This is an unnecessary control surface for a local helper service and enables trivial denial of service from any local process or webpage able to send requests to localhost.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The docstring says the server only handles HTTP and cleaner calls, but the implementation also exposes arbitrary file opening and forceful process termination. This discrepancy can mislead reviewers and users about the server's real capabilities, increasing the chance that risky endpoints are overlooked and shipped without proper safeguards.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger set includes broad phrases such as '清理磁盘', 'storage clean', and 'disk cleanup', which are likely to match ordinary conversation and invoke a skill that can scan and potentially delete files. Because this skill concerns storage cleanup, accidental activation is more dangerous than in a read-only informational skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation guidance says the skill should trigger when the user says phrases like '帮我看看存储' or '清理磁盘', which are ambiguous and could be interpreted in many contexts. In a skill that launches subprocesses and leads toward cleanup actions, ambiguity increases the risk of unintended execution and user confusion.

Missing User Warnings

High
Confidence
96% confidence
Finding
Permanent deletion occurs immediately once the function is invoked, with no confirmation prompt, preview, or warning that data will bypass recovery mechanisms. For a consumer-facing cleanup tool, this creates a substantial risk of accidental or coerced destructive actions resulting in irreversible data loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script saves detailed scan results, including local file paths, disk layout, and usage metadata, into persistent HTML and JSON files without explicit user notice or consent. On shared systems or if reports are later uploaded, synced, or accessed by other software, this can leak sensitive information about installed apps, user directories, project locations, and system structure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cleanup and file-opening endpoints execute sensitive actions immediately based on HTTP parameters, with no authentication, no anti-CSRF protections, and no explicit user confirmation. In the context of a localhost service intended to interact with an HTML report, this is especially dangerous because a malicious webpage or local process could trigger deletions or launches behind the user's back.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The shutdown endpoint immediately kills the process without confirmation, warning, or authorization. While the primary impact is denial of service rather than code execution, it is still an avoidable unsafe control path that any reachable client can abuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly instructs users to tell the Agent to execute cleanup commands and presents destructive commands, including irreversible deletion, with no strong confirmation, safety interstitial, or clear risk disclosure. In the context of a disk-cleaning skill, this materially increases the chance of unsafe agent-mediated file deletion, prompt-injection-assisted command execution, or accidental removal of important paths if upstream report data is wrong or manipulated.

Unvalidated Output Injection

High
Category
Output Handling
Content
def run_storage_clean():
    """运行存储清理,生成 HTML 报告并打开"""
    result = subprocess.run(
        ["python", SCANNER_PY],
        cwd=SKILL_DIR,
        capture_output=True,
Confidence
92% confidence
Finding
subprocess.run( ["python", SCANNER_PY], cwd=SKILL_DIR, capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal