ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it runs a live LLM latency test, but users should understand it uses their stored API keys and may create small provider charges.

Install only if you are comfortable with a shell script reading LLM API keys from pass shared/ and making live authenticated requests to the listed providers. Use it deliberately, consider low-quota keys, and review or adapt scripts/ping.sh if your secrets are stored elsewhere or you only want to test selected providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares shell capability but no explicit permissions while its documented behavior includes running a shell script that retrieves secrets and makes authenticated outbound API calls. This creates a transparency and least-privilege problem: users or policy engines may approve or run the skill without understanding that it can access local secret stores and transmit data to third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior shows the skill accesses locally stored API keys via `pass shared/` and sends authenticated requests to multiple external providers, but this is not clearly reflected in declared permissions and partly mismatches the stated purpose. That combination is dangerous because a seemingly simple latency test actually performs secret access and multi-destination network egress, increasing the risk of unintended credential use, data exposure, and trust bypass if users invoke it casually.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script pulls multiple provider API keys from the local password store automatically, which expands its privilege surface beyond simple local formatting logic. While the stated purpose is latency testing and the keys are used for that purpose, silently accessing several stored secrets is security-relevant because invoking the skill causes credential use and billable authenticated requests without an explicit consent step.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script accesses up to five separate API credentials with no user-facing warning, prompt, or dry-run notice. Even if no secret is directly exfiltrated, silent credential access is dangerous because users may not realize the skill will use their stored tokens, incur charges, and establish authenticated sessions to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script makes authenticated outbound requests to several third-party AI providers without any explicit warning or approval at runtime. This creates privacy, billing, and policy risks because a user invoking a simple speed test may unknowingly send prompts and metadata to external vendors under their own accounts.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

if [[ -n "$GEMINI_KEY" ]]; then
  (ms=$(curl -s -o /dev/null -w "%{time_total}" --max-time 30 \
    -X POST "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=$GEMINI_KEY" \
    -H "Content-Type: application/json" \
    -d '{"contents":[{"parts":[{"text":"hi"}]}],"generationConfig":{"maxOutputTokens":1}}')
Confidence
68% confidence
Finding
curl -s -o /dev/null -w "%{time_total}" --max-time 30 \ -X POST "https://generativelanguage.googleapis.com/v1beta/models/gemini-2.5-flash:generateContent?key=$GEMINI_KEY" \ -H "Content-Type: a

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal