ClawHub

Clawhub Publish V621

Security checks across malware telemetry and agentic risk

Overview

This appears to be a security scanner rather than malware, but it needs Review because the reviewed package overclaims/incompletely ships its scanning capability and includes an under-disclosed optional path that can send scanned content to an external LLM service.

Review this before installing or relying on it as a security gate. Verify that the actual package you install contains the advertised rule database and CLI entrypoints, treat scan results as advisory rather than proof of safety, and avoid optional LLM analysis on private code or secret-bearing repositories unless you are comfortable sending scanned content to the configured provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises operational capabilities including environment access, file read/write, network use, and shell execution, but declares no permissions in the skill metadata. This creates a trust and governance gap: users and hosting platforms cannot accurately assess or constrain the skill’s effective privilege needs, increasing the risk of unexpected filesystem access, command execution, or outbound connections if the referenced tooling is invoked.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The detector explicitly returns False for any file path matching broad SAFE_CONFIG_PATTERNS, which bypasses all malicious-content inspection despite the function contract claiming it checks for malicious configuration. In a security scanner, this creates a filename-based allowlist bypass: an attacker can name a malicious config file to match a trusted pattern such as examples/.*.json or .*security.*.yaml and evade detection.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The Semgrep external-rule loader mutates `self.layer2.compiled` as if it were a dictionary keyed by rule ID, but `RuleEngine.scan()` iterates it as a list of rule objects and expects `_compiled` regex lists on each rule. This means externally loaded Semgrep rules will not be evaluated correctly and may cause runtime errors or silent detection gaps, reducing the scanner's ability to catch malicious content.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The Bandit loader has the same structural mismatch as the Semgrep loader: it writes entries into `self.layer2.compiled` using dictionary-style indexing even though the scan path expects a list of rule dictionaries. In a security scanner, broken rule ingestion directly weakens detection coverage and can create a false sense of safety for users relying on Bandit-derived checks.

Missing User Warnings

High
Confidence
88% confidence
Finding
When --llm is enabled, file content is passed to LLMEngine for analysis, which likely transmits scanned data to an external model provider. This file does not present a clear consent notice, redaction step, or data-handling warning before potentially sensitive repository contents are sent off-host, creating a confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The engine sends analyzed code content to a third-party LLM API, which can expose proprietary source code, secrets embedded in code, or sensitive operational details to an external service. In a security-scanning skill, this is especially risky because the input may intentionally contain credentials, exploit payloads, or confidential incident data under investigation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal