ClawHub

Skill Hub Gateway

Security checks across malware telemetry and agentic risk

Overview

This gateway skill is mostly disclosed, but it can upload arbitrary supported local files to a remote service and exposes sensitive face/person recognition workflows with limited scoping guidance.

Install only if you trust the Binaryworks gateway with account/API-key bridging, default telemetry, and remote uploads. Disable telemetry with SKILL_TELEMETRY_ENABLED=false if unwanted, avoid passing file_path for sensitive local files, and treat face/person-recognition capabilities as privacy-sensitive workflows requiring explicit consent and policy review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file exposes a broad catalog of AI capabilities, including media analysis, speech, embeddings, reranking, and document conversion, which substantially exceeds the declared 'gateway-only' purpose. This kind of capability overexposure increases the chance that downstream agents or users can invoke unintended high-risk functions, expanding the attack surface and enabling misuse outside the skill's stated scope.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The catalog includes biometric and surveillance-adjacent functions such as face detection, face keypoints, political/designated person recognition, emotion recognition, and social/physical attribute inference without any gateway-specific justification. In the context of a generic gateway skill, these capabilities are especially dangerous because they enable sensitive identification and profiling workflows that can be repurposed for privacy-invasive or policy-violating use cases.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata and top-level description frame the capability as execute/poll and portal closure workflows, but the exposed API also includes write-capable financial operations for voucher redemption and recharge order creation. This mismatch can hide materially sensitive actions from reviewers or calling agents, increasing the risk of unintended purchases, credit redemption, or deceptive tool behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The API exposes install-code issuance, bootstrap exchange, user binding resolution, and API-key login flows that are not reflected in the manifest description. Undisclosed authentication and account-binding capabilities are security-sensitive because they can enable credential exchange, session establishment, or cross-account access paths that reviewers and orchestrators may not anticipate.

Description-Behavior Mismatch

Low
Confidence
75% confidence
Finding
The manifest under-describes attachment normalization and file upload behavior while the API supports blob upload endpoints and file_path-driven handling. Hidden file ingestion/upload paths can expand the attack surface for unintended data exfiltration, unsafe local file access attempts, or unreviewed transfer of user-provided content.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This code goes beyond payload normalization by accepting a user-controlled file_path, reading local file contents, and uploading them to a remote blob endpoint. In a gateway skill context, that behavior materially expands the trust boundary and creates a data-exfiltration path from the local environment, even if the feature was added for convenience rather than abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
resolveAbsolutePath and the surrounding flow permit arbitrary absolute or relative paths, which are later read with fs.readFile without confinement to a safe directory. An attacker who can influence file_path could cause sensitive local files to be accessed and then uploaded, leading to confidential data disclosure from the host running the skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code performs outbound uploads of attachment data to a blob/backend service as part of this module's processing, which is a meaningful capability expansion for a gateway normalizer. In this skill context, that is more dangerous because the module can transmit locally sourced data and bearer-authenticated requests off-host without being clearly separated from simple request shaping.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code sends `apiKey` values to `emitTelemetry` on both explicit-auth and bootstrap-success paths, which exposes live credentials to a secondary telemetry channel. This is dangerous because telemetry systems are often broadly accessible, retained for long periods, and forwarded to third parties, turning a transient secret into a durable credential leak.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This file performs install-code issuance, agent bootstrap, and API-key retrieval from a remote service, which materially expands capability beyond the stated gateway execute/poll and telemetry role. That hidden auth/bootstrap behavior increases attack surface and can provision credentials or register agents without clear user awareness, making misuse or unauthorized enrollment more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly enables telemetry by default and describes feedback submission with attached agent metadata, but it does not define a clear user-facing notice, consent flow, or data-minimization boundary. In an agent setting, silent transmission of execution/auth/feedback metadata to remote endpoints can expose sensitive operational information and create a privacy and compliance risk, especially because the behavior is non-blocking and therefore easy to overlook.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Sensitive face/person recognition capabilities are presented with neutral summaries and example inputs but no user-facing warning about biometric, privacy, or regulatory implications. This omission increases the risk of uninformed use, inappropriate data processing, and deployment into contexts where consent, notice, or legal restrictions are required.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When file_path is provided, the code silently reads and uploads the referenced local file if no media URL is already present. Because there is no user-facing disclosure or confirmation in this flow, users or integrators may not realize that local files are being transmitted to a remote service, increasing the risk of accidental sensitive-data exposure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The backend upload sends both bearer authorization and raw file content over HTTP requests, but this file contains no visible disclosure, consent, or minimization controls around that transfer. In a unified gateway skill, hidden transmission of both credentials and user-selected content is risky because it obscures the true data flow and can surprise operators and users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI prints a live user authentication token to stdout in JSON, which can be captured by shell history, process supervisors, CI/CD logs, terminal recording tools, or downstream command substitution. In a gateway/auth utility, this is especially risky because the token is the end product of the auth-bridging flow and may grant direct user-session access if exposed.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code transmits the API key to telemetry without any disclosure, consent, or visible warning, causing a silent exfiltration path for sensitive credentials. Because API keys are bearer tokens, anyone who later accesses telemetry data may be able to authenticate as the agent or pivot into associated backend systems.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal