ClawHub

ROS2 Introspection

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ROS 2 introspection helper, with some operational caveats around live data visibility, GUI launch, and fragile setup-path handling.

Install only in a ROS environment you control. Review the generated config/config.json after setup, avoid rqt_graph if you do not want a GUI process launched, and treat topic echo and param dump output as potentially sensitive robot or system data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Build the environment by sourcing the bash file
    env_command = f"source {ros_setup_path} && env"
    try:
        env_proc = subprocess.run(['bash', '-c', env_command], stdout=subprocess.PIPE, text=True, check=True)
        ros_env = {}
        for line in env_proc.stdout.splitlines():
            if '=' in line:
Confidence
90% confidence
Finding
env_proc = subprocess.run(['bash', '-c', env_command], stdout=subprocess.PIPE, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Special case for rqt_graph
    if category == "rqt_graph":
        sys.exit(subprocess.call(["rqt_graph"]))

    if len(sys.argv) < 3:
        # Some commands might just be e.g. "topic list", but if they passed only "topic", it will fail validation below
Confidence
86% confidence
Finding
sys.exit(subprocess.call(["rqt_graph"]))

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is described as strictly read-only ROS graph introspection, but the documented behavior expands beyond that scope by launching rqt_graph, running setup logic that writes configuration, and permitting commands like topic echo/hz/bw that actively subscribe to live traffic. This mismatch can mislead users and reviewers into granting trust or permissions under a narrower assumption, increasing the chance of unintended data exposure, GUI launch side effects, or unauthorized state changes during setup.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
Allowing `rqt_graph` outside the manifest's declared introspection commands breaks the wrapper's security model and creates functionality not covered by the read-only `ros2` subcommand checks. In skill context, this is more dangerous because the skill advertises strict read-only ROS 2 introspection, so users and higher-level systems may rely on a narrower trust boundary than the code actually enforces.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The docstring states this is a 'strict safety wrapper', but the implementation contains an undocumented bypass for `rqt_graph` and unsafe shell-based environment sourcing. This mismatch can cause operators and integrators to overtrust the wrapper, increasing the likelihood that unsafe behavior is deployed in sensitive robotics environments without additional controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal