ClawHub

Stegstr

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Stegstr/Nostr image-steganography helper, but installing it builds an unpinned Rust project from GitHub and users should handle private keys and decoded payloads carefully.

Install only if you trust the Stegstr GitHub project and its Rust dependencies; for sensitive environments, prefer a pinned release or reviewed commit. Avoid putting real Nostr private keys in prompts, shell history, shared logs, or process-visible command lines, and review decoded payloads before sharing or using them elsewhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill’s stated purpose is steganographic encoding/decoding, but it also instructs the agent to fetch remote code from GitHub and compile it with Cargo. That materially expands trust and execution boundaries: a user invoking an image-processing skill may unknowingly trigger supply-chain exposure, arbitrary build-script execution, dependency fetching, and installation behavior not clearly disclosed in the core purpose.

Scope Creep

High
Confidence
97% confidence
Finding
The installer performs network retrieval via git clone/pull and then builds fetched code, even though the skill declares only filesystem permission. This creates a trust-boundary violation: a user or agent may approve the skill assuming local-only behavior, while installation actually executes a remote supply-chain path whose contents can change over time or be redirected via STEGSTR_REPO_URL.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script depends on git and cargo to fetch and build code from external sources at install time, which introduces a software supply-chain risk and non-reproducible installs. Cargo builds can execute build scripts from dependencies, so this is more than simple compilation and can lead to execution of attacker-controlled code if the upstream repo or dependency chain is compromised.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill encourages extracting and embedding hidden payloads from images without warning that recovered data may be sensitive, malicious, or privacy-impacting. In context, steganographic content can contain secrets, encrypted bundles, or untrusted data, so omission of handling guidance increases the chance of accidental disclosure, unsafe sharing, or insecure downstream processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal