ClawHub

Service Catalog

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only service inventory skill whose repository scans and optional local health checks match its stated purpose, but its outputs may contain sensitive internal metadata.

Use this skill only on repositories or organization checkouts you are authorized to inventory. Review generated reports before sharing, especially owner names, repository URLs, dependency URLs, environment-derived service references, and health results. Run the health command only when probing local containers, system services, and localhost endpoints is acceptable in that environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is framed primarily as codebase/config discovery, but the `health` command also interrogates the live environment via `docker ps`, `systemctl`, and `curl` to discovered localhost endpoints. That expands scope from passive cataloging into runtime host and network probing, which can surprise users, leak environmental details, and trigger unintended network activity in sensitive environments.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The runtime interrogation features are not strictly necessary to generate a service catalog from repository artifacts, yet they enumerate running containers/services and probe health URLs. In environments where the agent has broader host access, this can expose operational metadata or interact with internal services beyond the user's expected scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cataloging workflow explicitly reads CODEOWNERS, package authors, git activity, and repository URLs, then emits them in reports, but the skill does not warn that this may surface sensitive internal ownership and infrastructure metadata. Even if intended for internal inventory, such data can aid reconnaissance or be over-shared in chat outputs, logs, or CI artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `health` section performs active `curl` requests to discovered endpoints, but the skill description does not tell users that network calls will occur. This is dangerous because auto-discovered endpoints may belong to internal-only services, and probing them can create audit noise, violate change-control expectations, or interact with systems the user did not intend to contact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal