ClawHub

Seedgen

Security checks across malware telemetry and agentic risk

Overview

SeedGen is a local random-value generator, but its metadata overclaims deterministic, reproducible, and audit-record capabilities that the script does not provide.

Review before installing. Use this only as a local nondeterministic random generator, not for reproducible test fixtures, auditable seed records, deterministic replay, or compliance-sensitive salt rotation records. Prefer the /dev/urandom-backed modes for security-sensitive random values and avoid unbounded batch requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill advertises reproducible seeds and deterministic test data, but the documented behavior relies on nondeterministic randomness from /dev/urandom and related tools. This mismatch can cause users to rely on it for repeatable tests, seed recordkeeping, or audit workflows where exact regeneration is required, leading to irreproducible results and potentially broken security or compliance processes.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises reproducible seed generation and deterministic test data, but all implemented generators rely on nondeterministic sources such as /dev/urandom, shuf, RANDOM, and awk srand() with no facility to accept, persist, or replay a seed. In a testing, auditing, or salt-rotation context, this can mislead users into believing outputs are reproducible when they are not, causing irreproducible test results, failed audits, and incorrect security assumptions around stored seed records.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header and help text frame the script as a seed generator for reproducible workflows, but the code does not generate manageable/replayable seeds and instead emits one-off random values. This mismatch is dangerous because users may integrate it into deterministic test-data or audit pipelines under false assumptions, leading to broken reproducibility and unreliable evidence trails.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal