ClawHub
Back to skill

Security audit

ROS2 Execution

Security checks across malware telemetry and agentic risk

Overview

This ROS 2 skill appears purpose-aligned, but it gives an agent broad robot-command authority while overstating and inconsistently describing its safety limits.

Review before installing or enabling this skill on a real ROS system. Use it only in a trusted workspace, keep config.json and packages.json writable only by trusted users, keep the package allowlist narrow, prefer named parameter profiles over arbitrary paths, and require human approval before running commands that could move hardware or affect actuators.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Build the environment by sourcing the bash file
    env_command = f"source {ros_setup_path} && env"
    try:
        env_proc = subprocess.run(['bash', '-c', env_command], stdout=subprocess.PIPE, text=True, check=True)
        ros_env = {}
        for line in env_proc.stdout.splitlines():
            if '=' in line:
Confidence
93% confidence
Finding
env_proc = subprocess.run(['bash', '-c', env_command], stdout=subprocess.PIPE, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd_array.extend(extra)

    # Execute safely without shell=True
    sys.exit(subprocess.call(cmd_array, env=ros_env))

if __name__ == "__main__":
    main()
Confidence
85% confidence
Finding
sys.exit(subprocess.call(cmd_array, env=ros_env))

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation clearly instructs the agent to read local files such as config/packages.json and profile YAMLs and to execute a Python wrapper script, which are effective file-read and shell capabilities despite no declared permissions. Missing permission declarations weaken trust and policy enforcement because reviewers and runtime controls may not accurately understand what the skill can do.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The security section says only run/launch/call are valid, but the documented interface and examples also use service_call and action_send_goal. This inconsistency is dangerous because users and downstream enforcement may rely on the narrower documented validation while the skill actually encourages broader command execution paths that may bypass intended checks or receive less scrutiny.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill explicitly claims a strict security constraint that only run/launch/call are permitted, then later instructs use of other command types. Security claims that contradict operational instructions can cause unsafe assumptions, incomplete testing, and accidental exposure of command pathways that were not hardened to the same standard.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest and code present this as an allowlisted, sandboxed ROS 2 executor, but `--params-file` accepts any filesystem path that exists. That lets a caller feed arbitrary YAML into ROS nodes from outside approved profile directories, bypassing the intended parameter-profile control model and potentially altering behavior of privileged or safety-sensitive nodes.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module describes itself as a strict safety wrapper, yet it executes a shell command derived from dynamic configuration in order to source the ROS environment. This mismatch is security-relevant because operators may trust the tool's safety guarantees while a compromised or improperly protected config can turn startup into arbitrary code execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal