ClawHub
Back to skill

Security audit

AgentPathfinder

Security checks across malware telemetry and agentic risk

Overview

AgentPathfinder is a real local audit tool, but it exposes broad command, file, network, dashboard, and plaintext logging capabilities that need careful review before installation.

Install only if you are comfortable with a local audit tool that may execute commands, read/write files, fetch URLs, and retain full command arguments/results in plaintext. Use it in an isolated workspace, avoid logging secrets, protect ~/.agentpathfinder, and treat the dashboard/signatures as audit aids rather than proof that work was actually completed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (46)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
start = time.time()
        try:
            import subprocess
            result = subprocess.run(
                command, shell=True, capture_output=True, text=True,
                timeout=timeout
            )
Confidence
99% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=timeout )

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The document describes an autonomous build pipeline that analyzes code, applies fixes, runs tests, and creates local git commits, which materially exceeds the skill's stated purpose of cryptographic audit trails for tool invocations. This scope expansion is dangerous because users may install or trust the skill for passive provenance logging while it actually enables active code modification workflows that can alter repositories and introduce unauthorized changes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation introduces customer/product knowledge management, business fact storage, and spec generation features that are unrelated to a narrowly described provenance and audit product. This mismatch increases the risk of over-collection and misuse of sensitive business data because operators may not expect the skill to query, store, or inject customer and product information.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documented capability to modify source code and create commits is high risk when the skill is presented as an audit/provenance layer, because it turns a supposedly observational component into an actor that changes code state. Even with a later push approval gate, local modifications and commits can still introduce malicious, unsafe, or hard-to-review changes into trusted repositories.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Brain API querying and fact injection are context-inappropriate for an audit-trail skill and can expose or alter sensitive business knowledge under the guise of provenance features. This broadens the attack surface to include data exfiltration, poisoning of internal knowledge bases, and unintended handling of customer information.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The safety document describes the product's core mechanism as 'cryptographic sharding' for workflow completion proof, while the metadata describes an HMAC-signed audit trail for tool calls. A mismatch in core security architecture is dangerous because users and auditors may rely on the wrong trust model, misconfigure deployment, or overlook key limitations—especially since the document later admits local shard access lets an agent forge valid audit entries.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The document first states that all data stays local with no external servers, then later references a hosted remote vault capability. Even if the remote feature is future or opt-in, this inconsistency can mislead users making trust, compliance, and deployment decisions, particularly in security-sensitive environments where any networked component materially changes risk.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document claims keys are ephemeral and exist only for the lifetime of a task, but also states shards are written to disk and can later be used to reconstruct those keys. This is a material security contradiction because it may cause operators to underestimate persistence and exposure: anyone with filesystem access to the shard store can recover the signing material and forge apparently valid audit records.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The report documents and validates capabilities for shell execution, file read/write, and HTTP fetch even though the skill is described as an audit/provenance layer. Expanding an audit component into an execution and I/O wrapper materially increases attack surface and privilege scope, creating opportunities for command execution, arbitrary file access, and network egress unrelated to the stated purpose.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Shell execution is a powerful primitive and is not justified by a provenance-only audit role. In an agent context, exposing exec through an 'audit' extension can mislead operators about its true power and enable arbitrary command execution if the component is installed with trust appropriate only for logging.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
File read/write wrappers exceed what is necessary for an audit-trail layer and broaden access to local data and system state. In practice, this can expose secrets during reads and permit destructive or persistence-enabling modifications during writes, especially when paired with logging of full arguments and outputs.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
HTTP fetch introduces outbound network access that is unrelated to a pure audit function. This increases risk of data exfiltration, SSRF-like access to internal resources, and policy bypass when users trust the component as a local provenance layer rather than a network-capable tool.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The method claims to validate step results before issuing a signed token, but the `result` parameter is never inspected and issuance depends only on caller-supplied metadata such as `result_hash`. In a provenance system, this can let an untrusted or buggy caller obtain authoritative completion tokens for invalid, incomplete, or fabricated work, undermining integrity guarantees and enabling false audit assertions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file implements agent credential registration and HMAC request authentication even though the stated skill purpose is audit provenance and tool-call logging. That capability expands the trust boundary and creates a new authentication subsystem with persistent secrets, which is risky because it may be used to gate or authorize agent actions without the scrutiny normally applied to auth code.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code persists agent API keys in a local JSON registry under the application's data directory, creating a secret store unrelated to the advertised audit-trail role. Storing long-lived shared secrets on disk increases compromise impact: any local read access, backup exposure, or misconfigured permissions can leak credentials that can then authenticate forged agent requests.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The manifest presents this component as an audit/provenance layer, but this file also implements active capabilities to execute commands, fetch URLs, and read/write files. That mismatch is dangerous because consumers may trust or auto-enable it as passive logging infrastructure when it actually expands the agent's authority significantly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A provenance/audit skill should not need unrestricted shell execution to fulfill its stated purpose. Embedding exec capability inside a trusted audit wrapper makes exploitation more dangerous because operators may grant it broad access under the assumption it only records activity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Outbound URL fetching is unrelated to core audit-trail generation and introduces an SSRF/data-exfiltration primitive into a component marketed as provenance infrastructure. In agent deployments, trusted logging components may be allowed to run broadly, making hidden network reachability especially risky.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Direct file read/write access is not necessary for basic tool-call auditing and broadens the attack surface to local data theft and filesystem tampering. Because this lives in an audit-branded module, integrators may underestimate the privileges being granted.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module claims tool calls and results are cryptographically signed, yet this file never performs signing and merely delegates to audit.log. Security-signaling mismatches are dangerous because operators may rely on tamper-evidence that is not actually enforced here, weakening audit integrity and incident response.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The dashboard renders full shell commands, filesystem paths, error details, and internal network targets such as localhost health endpoints. Exposing this operational telemetry can leak sensitive environment details, deployment behavior, and command structure to anyone with dashboard access, increasing the risk of reconnaissance, lateral movement, and accidental disclosure of secrets if future commands include tokens or credentials.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill reaches out to an external knowledge source located outside the declared audit-signing/provenance functionality and uses its output to enrich records. In a security-sensitive auditing component, pulling undisclosed external context expands the trust boundary, can leak operational metadata, and introduces an integrity risk where audit artifacts may be influenced by unvetted data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The JSON file bundles substantial business, pricing, competitor, persona, infrastructure, and operational data that is not necessary for an audit-trail skill focused on cryptographically signed tool-call provenance. Overbroad embedded knowledge expands the skill's accessible data surface, creating avoidable risk of prompt leakage, inappropriate disclosure, or cross-context use of sensitive operational information.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The file contains context-inappropriate business intelligence and profile data, including internal blockers, pricing strategy, infrastructure details, and personal background, none of which are justified by the skill's stated function. Even if not highly secret on their own, centralizing this information inside a runtime skill increases the chance it will be exposed to users, other components, or downstream logs and outputs.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
If key reconstruction or verification fails, the code falls back to parsing the audit file and sets integrity_ok to true with zero tampering reported. In a product whose core security claim is cryptographic audit integrity, this can falsely present unverified or attacker-modified data as trustworthy, undermining tamper detection and incident response.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
agentpathfinder/task_engine.py:428