ClawHub

CocoLoop

Security checks across malware telemetry and agentic risk

Overview

Cocoloop is a coherent skill manager, but it needs Review because it can install, replace, remove, and upload skill-related local files with weak confirmation and scoping safeguards.

Install only if you trust the CocoLoop service and are comfortable with a skill manager that can change agent skill directories. Disable or narrowly constrain implicit invocation where possible, avoid --force and broad uninstall scopes unless you have checked the resolved paths, and do not use safescan or candidate --data-file on secrets, private repositories, credentials, SSH keys, or personal files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to use network access and shell commands such as curl, bash, npx, file copying, symlinking, and installation flows across multiple local directories, yet it does not declare permissions or boundaries for those capabilities. This is dangerous because it hides a broad execution and data-access surface from users and higher-level policy controls, increasing the chance of silent command execution, filesystem modification, and remote content retrieval without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The file claims the CLI is only a thin wrapper and that complex search/fallback decisions are handled by the agent, but the documented behavior includes broader capabilities such as local scanning, persistence under ~/.cocoloop, update/uninstall flows, safescan uploads, and decision logic around review/handoff. This mismatch is dangerous because it can mislead users and reviewers about the true trust boundary and operational scope, causing them to approve a tool that performs more network, persistence, and filesystem actions than advertised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The safescan command uploads a local file or an entire directory when the target exists locally, but this script provides no user-facing warning, confirmation, sensitivity filtering, or dry-run summary before transmission. In a skill-manager context, users may reasonably expect local inspection rather than remote exfiltration of contents, so this creates a real confidentiality risk.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The helper exposes functions that can upload any caller-specified local file or directory path to a remote SafeScan service, which expands the CLI's effective data-access scope beyond a simple API/install wrapper. In an agent-driven context, this creates a meaningful risk of unintended exfiltration of sensitive local data if higher-level orchestration passes arbitrary paths.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
These functions permit transmission of arbitrary local file contents and directory references to a remote endpoint without strong justification in the stated skill purpose. Even if intended for scanning, the capability is sensitive because an agent or wrapper bug could cause secrets, source code, or private documents to be sent off-host.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill enables implicit invocation with no documented trigger constraints, while its description grants broad capabilities to search, download, install, update, uninstall, and inspect skills, including falling back to public sources like GitHub and the web. That combination can cause the agent to auto-engage a network-capable package-management workflow during unrelated conversations, increasing the chance of unreviewed remote content retrieval and installation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs agents/users to download remote archives, query external APIs, and run third-party install commands such as `npx clawhub@latest install` and `npx skills add` without explicit trust, integrity, or sandboxing guidance. In a skill-installation context this is materially risky because the workflow normalizes execution of untrusted code and network retrieval from potentially attacker-controlled sources.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs scanning a broad set of local skill directories across multiple agent ecosystems, which can expose installed tools, project names, and workflow details without an explicit user-consent or privacy notice. In a skill manager context this is more sensitive than a generic filesystem read because it inventories other agent environments and could surface locally installed capabilities the user did not intend to disclose.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly permits skipping confirmation for a destructive uninstall operation when 'force uninstall' is requested, but it does not require strong user-risk signaling, path revalidation, or other safeguards before deletion. In a skill manager context that resolves install locations dynamically across multiple candidate directories, this increases the chance of accidental or unsafe deletion of the wrong skill copy or user data if the target is misidentified or the command is used carelessly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This is a concrete data-exposure issue: if the user passes a path, the command chooses upload behavior automatically and may send sensitive source code, credentials, configs, or private documents to a remote service. Because there is no warning in this script, accidental disclosure is plausible and the skill context makes this more dangerous, not less, since users may test arbitrary local skill directories.

Missing User Warnings

High
Confidence
88% confidence
Finding
When --force is used, the installer unconditionally performs rm -rf on the resolved target path before reinstalling. If skill_name or the resolved target root is malformed, unexpected, or attacker-influenced, this can delete arbitrary directories or overwrite an existing installation without an additional safety barrier.

Missing User Warnings

High
Confidence
88% confidence
Finding
The staged skill store path is recursively deleted on forced reinstall with no path safety validation beyond existence. Because the destination path is derived from the skill name, any weakness in name normalization or target-root resolution could turn a reinstall into deletion of unintended filesystem content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The upload functions send local data to a remote service silently from this code path, with no user-facing warning, consent prompt, or visibility into what leaves the machine. In an agent skill, lack of transparency materially increases the risk of covert or accidental exfiltration because users may not realize local files or paths are being transmitted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uninstall flow performs `rm -rf` on computed paths with no confirmation, dry-run safeguard, or path ancestry validation beyond name normalization. In a skill manager context this is materially risky because a malformed normalization routine, unexpected skill name mapping, or symlinked target could cause irreversible deletion of user or project data during routine use.

External Transmission

Medium
Category
Data Exfiltration
Content
名称搜索时先查 CocoLoop。优先使用命令行 HTTP 请求工具,例如:

```bash
curl -L "https://api.cocoloop.com/api/v1/store/skills?page=1&page_size=10&keyword=${KEYWORD}&sort=downloads"
```

预期目标:
Confidence
78% confidence
Finding
https://api.cocoloop.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal