ClawHub

Recipe Query

Security checks across malware telemetry and agentic risk

Overview

This recipe skill appears useful, but it under-discloses API-key storage and raw external API output handling enough that users should review it before installing.

Install only if you are comfortable providing an API key that may be saved locally in a .env file. Prefer a version that asks before storing secrets, documents where the key is kept, pins dependencies, and formats recipe fields instead of displaying raw API responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while its documented behavior implies environment access, local file read/write, and network use. This weakens user and platform visibility into sensitive capabilities and can lead to consent bypass, especially because the skill also handles API keys and persists them locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is a simple recipe lookup tool, but the documentation also requires credential collection, local persistence of API keys, and communication with an external service that is not prominently disclosed in the description. This mismatch can mislead users about the trust boundary and sensitivity of the actions being performed.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code persists an API key to a local .env file and updates process environment state, which introduces credential exposure risk if the file is readable by other users, committed to source control, or included in logs/backups. This is especially suspicious because the skill metadata describes a recipe query tool, while the config references an unrelated service and stores credentials without clear necessity or scope justification.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This code creates local credential storage capability without any user confirmation, encryption, or access control hardening. In a simple recipe-query context, that unnecessary secret-handling surface increases the chance of accidental credential disclosure and suggests the skill may be operating beyond its stated purpose.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the model to collect a user API key and persist it with set_api_key(api_key), but it does not clearly warn the user that the credential will be stored locally or explain retention and protection. That creates a sensitive-secret handling risk because users may disclose credentials without informed consent and the storage location may be inadequately protected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes a supplied API key directly into .env without any user-facing warning or confirmation, which can surprise users and leave secrets on disk longer than intended. Secrets stored this way are commonly leaked via repository commits, backups, desktop search, or permissive file permissions.

Ssd 3

Medium
Confidence
91% confidence
Finding
The workflow combines collection of a sensitive API key with instructions to display raw API output, which increases the risk that secrets or reflected credential values could be surfaced back to the user or included in model-visible text. If the upstream API returns debugging metadata, echoed request fields, or account details, the skill provides no redaction barrier.

Ssd 3

Medium
Confidence
94% confidence
Finding
The documentation explicitly tells the model to organize and display result['raw'] directly without any sanitization guidance. Direct rendering of untrusted remote content can expose sensitive metadata, reflected input, or malicious text intended to manipulate downstream agents or users.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
97% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
97% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
97% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
97% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
82% confidence
Finding
requests

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
78% confidence
Finding
pydantic

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal