ClawHub

Skill Safe Install

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate security installer, but it needs review because crafted skill names can reach local shell commands and auto mode can bypass warning confirmations.

Review or patch this skill before relying on it as a safety gate. Use only ordinary registry-style skill names, avoid --auto, --yes, --force, --no-vetter, and --no-scan unless you explicitly accept the risk, and do not scan private or proprietary skills unless sharing their contents with ThreatBook is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document defines ThreatBook allow conditions inconsistently, using both 'safe' and 'clean' for the pass state. In an automated installation workflow, this ambiguity can cause incorrect branching, such as treating unknown or suspicious results as allowed due to label mismatch or failed parsing.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file claims a mandatory three-layer verification before installation, but later introduces a whitelist path that allows direct installation without completing those checks. This weakens the promised trust boundary and creates a bypass where a mistaken or abused whitelist decision can override other safety controls.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documented process says high-risk and suspicious outcomes require requester confirmation, but the later auto mode states those confirmations are skipped and installation proceeds automatically. That contradiction turns a human approval gate into a silent bypass, materially increasing the chance of unsafe installation in CI or unattended contexts.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The help text says auto mode will 'automatically ask the requester when confirmation is needed', but the implementation later treats --auto the same as --force and proceeds with installation without any confirmation. This creates a fail-open security control that can install risky skills despite checks flagging them as suspicious.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The process describes automatically uploading downloaded skill packages to a third-party sandbox without a clear privacy or data-handling warning. Because skill packages may contain proprietary code, secrets, or sensitive internal logic, silent submission can cause unintended data disclosure and compliance issues.

Missing User Warnings

High
Confidence
99% confidence
Finding
Auto mode is documented to continue installation without confirmation even when prior checks return suspicious or high-risk outcomes. In a security gate whose purpose is to stop risky installs pending human review, that behavior defeats the control and can directly enable malicious or unsafe skills to be deployed automatically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script downloads a skill, packages it, and uploads it to ThreatBook for sandboxing, but there is no explicit warning or consent prompt at the point where code contents are sent to a third-party service. If the skill package contains secrets, proprietary code, or private data, this causes unintended external disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal