ClawHub

蒲公英异地组网

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed SD-WAN management guide that uses an MCP API key as expected, but users should protect that key carefully.

Before installing, understand that the MCP key can let an AI client manage your 蒲公英 SD-WAN environment. Store it only in trusted per-user configuration, do not commit or share it, restrict local access where possible, and rotate the key if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly tells users to copy an MCP configuration JSON that contains a secret key into local configuration files, but it does not warn that this credential is sensitive, should not be shared, and should be protected with file permissions or secure storage. In the context of an MCP-integrated networking skill that can manage SD-WAN resources, exposure of that key could let an attacker access or manipulate the user's remote network environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs users to copy a live API key into local MCP config files across multiple clients, but it does not clearly warn that this credential grants direct management access to the user's SD-WAN environment. If the config file is exposed through local compromise, backup sync, repo leakage, or screenshots, an attacker could query networks, add/remove members, reset credentials, or otherwise control remote connectivity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal