ClawHub

Site Change Alert

Security checks across malware telemetry and agentic risk

Overview

The main website monitor mostly matches its purpose, but the package has confusing duplicate artifacts and creates persistent local state or cron jobs with limited safety controls.

Review before installing. Use only for non-sensitive pages unless you are comfortable storing URLs and snapshots locally. Do not paste secrets or sensitive webhook URLs unless the local data directory is protected, inspect any cron entry before keeping it, and prefer removing the stale nested skill/script or using only the root script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises and invokes shell-based scripts and appears to require file access, but it declares no permissions or trust boundaries. That creates a transparency and consent problem: users or hosting platforms may execute a skill with broader capabilities than expected, increasing the chance of unintended local file access or command execution exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation materially diverges from the stated purpose of monitoring websites and sending alerts. Instead, it accepts arbitrary user input across many generic commands and persists that data locally, which can mislead users into trusting a skill that does not perform the advertised security-relevant function and quietly accumulates data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script exposes broad logging, search, export, and reporting features that are not necessary for a website-change monitor and increase the chance of collecting or disclosing unrelated sensitive data. In a skill context, this overbroad functionality expands the attack surface and creates opportunities for misuse or unexpected retention of user-supplied content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The case statement defines duplicate command names such as 'export' and 'status', with earlier branches consuming those commands for simple logging and making the later utility implementations unreachable. This deceptive or broken command routing can cause operators to believe they are invoking status/export functions when they are actually just storing input, undermining transparency and safe operation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages configuring webhook and email notifications but gives no warning that monitored page content, diffs, URLs, timestamps, or metadata may be transmitted to third-party endpoints. In a monitoring context, this can leak sensitive internal URLs, page contents, or operational signals to external services without informed user consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The `schedule` command writes directly to the user's crontab without an interactive confirmation or explicit warning, creating persistent execution. In an agent-skill context, this is more dangerous than a normal CLI because invoking the skill can silently establish background persistence and ongoing network activity on the host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly states that all command inputs and activity are stored in local log files, but the user-facing description and usage guidance do not prominently warn that arbitrary inputs, URLs, tokens, search terms, and operational history may be persistently recorded. This creates a real privacy and security risk because users may supply sensitive data assuming the tool is ephemeral, and those values can later be exposed through local compromise, shared accounts, backups, or exported logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User-provided input is written verbatim to persistent log files and may later be exposed through search, recent, stats, and export functions, but the script gives no warning about retention or disclosure. In an agent skill, users may paste URLs, tokens, email addresses, or page contents, creating a realistic privacy and secret-leakage risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal