ClawHub

AI木工大师

Security checks across malware telemetry and agentic risk

Overview

This skill is a woodworking guide that generates local HTML reports, with no evidence of exfiltration, credential use, persistence, or destructive behavior.

Install only if you are comfortable with the skill running a local Python script that creates an HTML report file. Avoid passing custom --output paths unless you choose the destination yourself, and treat tool/brand buying advice as region-specific rather than universally applicable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to generate an HTML report and write it to `woodworking_report.html`, which is a file-write capability, but no corresponding permission declaration is shown. Undeclared write behavior weakens sandboxing and user trust because a host may allow the skill to perform side effects that are not transparent in metadata or approval flows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script accepts a user-controlled `--output` path and writes HTML to that location without any restriction or validation. In an agent/skill context, this creates arbitrary file write capability relative to the process permissions, which is broader than necessary for generating a woodworking report and could overwrite application files, user files, or sensitive paths if an attacker can influence arguments.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The instruction to recommend tools, brands, and purchase channels specifically for the Chinese market imposes a regional bias without confirming the user's location, regulatory environment, or preferences. In a woodworking skill, this can lead to unsafe or unsuitable product guidance because tool standards, electrical compatibility, and safety certifications vary by market.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal