ClawHub

Secure Auth Patterns

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only authentication guide, but one OAuth example passes a login token through a URL and should not be copied into production.

Safe to install as a reference, but do not treat every snippet as production-ready. Replace the OAuth redirect-with-token pattern with a safer flow such as server-side session cookies or an authorization-code/PKCE-style exchange, and have any generated auth implementation reviewed before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The OAuth callback example redirects to the frontend with the access token in the URL query string, which can leak via browser history, referer headers, reverse-proxy logs, analytics tooling, and screenshots. This directly contradicts the later best-practice guidance against unsafe token storage and makes credential exposure more likely in real implementations copied from the skill.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The OAuth callback example redirects with the access token in the URL query string, which can leak via browser history, referrer headers, logs, analytics tools, and intermediary systems. This conflicts with the document's own guidance against unsafe client-side JWT handling and models an insecure pattern that consumers may copy into production.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Exposing a bearer token in a redirect URL is a real security weakness because any party that obtains that URL can replay the token and impersonate the user until expiration. In an authentication-patterns skill, this is especially risky because readers may adopt the sample as approved secure practice, amplifying the chance of credential leakage across deployments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal