ClawHub

Claw Permission Firewall

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed security-policy evaluator; the scary commands and tokens are example inputs meant to be denied or redacted, not actions the skill executes.

Install only if you understand this is a policy gate, not a complete security boundary. Configure `policy.yaml` for your environment, execute only returned `sanitizedAction` values after an ALLOW decision, keep user confirmation in a trusted host layer, and fail closed for unknown action types before relying on it for enforcement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
98% confidence
Finding
The manifest exposes an exec action with no apparent trigger scoping, activation constraints, or other limiting conditions, which allows arbitrary execution behavior to be reachable too broadly. In this file that risk is amplified because the configured command is explicitly destructive, so the lack of constraints materially increases the chance of catastrophic execution.

Natural-Language Policy Violations

Critical
Confidence
100% confidence
Finding
The command `rm -rf /` attempts recursive deletion from the filesystem root, which is a classic destructive payload capable of wiping the host system or severely damaging the runtime environment. Even if modern safeguards sometimes blunt it, embedding this command in a skill manifest is inherently unsafe and creates a direct path to denial of service and data destruction.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest defines an HTTP request action but provides no trigger scope, activation rule, or user-consent constraint, so it is unclear when or why the request may run. In a skill system, unspecified invocation conditions increase the chance of unintended network access and make it harder to enforce least privilege or review safe execution context.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The manifest contains a hard-coded API key directly in the headers, which exposes a credential to anyone who can read the file and enables unauthorized reuse. Because the skill also performs an outbound request to an external domain, the embedded secret could be abused for data access, impersonation, or further compromise depending on the key's permissions.

External Transmission

Medium
Category
Data Exfiltration
Content
"action": {
    "type": "http_request",
    "method": "GET",
    "url": "https://api.github.com/repos/octocat/Hello-World",
    "headers": {
      "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.abc.def"
    }
Confidence
98% confidence
Finding
https://api.github.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal