ClawHub

Reckit

Security checks across malware telemetry and agentic risk

Overview

Reckit is a coherent code-audit suite, but it asks agents to run, write, mutate, spawn workers, and sometimes commit code with weak consent boundaries and unsafe sandbox guidance.

Install only if you are comfortable with an audit skill that can execute project code and tooling, spawn workers, and write files under the repository. Use it in a sandbox or disposable worktree for untrusted projects, keep approval controls enabled, review the exact commands before running gates, and avoid the dashboard or sandbox-bypass guidance unless you understand the local exposure and privilege implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The /api/status endpoint exposes aggregated metadata from all discovered projects over HTTP, and the server sets Access-Control-Allow-Origin: * for all responses. Although the listener is restricted to 127.0.0.1, any website visited by the user could potentially read localhost responses from a browser, turning local verification/project metadata into cross-origin accessible data.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The orchestrator is framed as a verification system, but these instructions explicitly direct subagents to implement changes and commit them to the repository. That expands the skill from analysis into code modification, increasing the chance of unintended or unauthorized changes being made under the guise of verification.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The direct instruction to run `git add` and `git commit` gives the skill durable write capabilities over the target repository without clear consent boundaries. In an agent setting, this can create unauthorized history changes, conceal risky edits in commits, or interfere with a user's working tree and review process.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The skill description claims 'no external tools required,' but the orchestrator depends on executing scripts from `~/Projects/wreckit-ralph/scripts`. This mismatch is dangerous because it hides external execution dependencies from users and can cause the agent to run arbitrary local tooling that has not been disclosed or reviewed in the skill contract.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script invokes `npx --yes madge --circular --json .`, which can download and execute package code from the registry at analysis time. In a security-review skill, this is dangerous because simply scanning an untrusted project may trigger network-based code execution in the analyst's environment, contradicting the 'no external tools required' safety expectation and expanding the attack surface to supply-chain compromise or unexpected install hooks.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script derives a test command from project-controlled metadata and executes it with `eval`, which causes the shell to interpret arbitrary metacharacters, command substitutions, and chained commands. In this skill's context, the tool is meant to analyze untrusted codebases, so a malicious repository can turn 'run tests' into arbitrary code execution on the analyst/agent host rather than simple regression checking.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The wrapper uses `output=$("$@" ... || true)`, so the `|| true` causes the command substitution to succeed and `$?` captures the status of `true` rather than the gate command. This means telemetry and any caller relying on `LAST_EXIT_CODE` will incorrectly see success, which can mask failing verification gates and lead to unsafe code being treated as verified.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is very broad, including generic terms like 'verification', 'code audit', and 'bulletproof', which may cause the skill to activate outside the user's intended context. Because this skill can run shell commands, spawn workers, and write proof artifacts, accidental invocation materially increases the chance of unintended side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it produces a '.wreckit/' proof bundle and elsewhere describes generating artifacts, but does not provide a prominent user-facing warning that repository files will be created or modified. In an audit context, users often expect read-only behavior, so silent writes can corrupt working trees, interfere with CI, or expose data through generated artifacts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly recommends using '--dangerously-bypass-approvals-and-sandbox' to work around sandbox restrictions, without equivalent safety guardrails. That instruction directly encourages disabling core containment controls, which can enable unrestricted command execution, filesystem modification, secret exposure, and network activity in response to normal skill usage.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The document explicitly says the script will generate a starter GitHub Actions workflow when no CI config is found, but it does not clearly warn that running the gate may modify the target repository by creating new files. In an agentic context, undocumented write behavior is risky because users may expect an audit/check-only action and instead get persistent project changes that can alter repository state or be accidentally committed.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The template explicitly instructs the agent to write a proof bundle into the target project directory, but it does not warn the user that this will create or modify files. In an agent skill, silent filesystem writes can violate user expectations, especially during analysis or verification workflows where users may assume read-only behavior unless modification is disclosed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The AUDIT-only template says 'no changes' but later instructs the agent to write a proof bundle to [path]/.wreckit/, which is a contradiction. This is more dangerous than the earlier case because it can cause unauthorized writes in a mode the user is likely to interpret as read-only, undermining trust and potentially affecting sensitive or monitored repositories.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
These instructions include writing files, running checks, and committing changes, but they do not pair those actions with a prominent user-facing warning that the repository will be modified. In an autonomous agent context, that lack of consent and transparency makes destructive or surprising changes more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The orchestrator directs workers to execute numerous local scripts and analysis commands against the target project without a clear warning that subprocesses will run. In a security-sensitive environment, hidden command execution increases the risk of running unsafe tooling, triggering project hooks, or operating on untrusted repositories without informed approval.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script executes TEST_CMD with `eval`, and that command can come directly from a caller argument or indirectly from repository-controlled metadata returned by `detect-stack.sh`. Because `eval` re-parses shell metacharacters, an attacker can inject arbitrary shell commands that will run in the operator's environment, making this a real command-injection risk in a tool explicitly designed to operate on untrusted project code.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script extracts a test command from project metadata and executes it via `bash -c`, which allows arbitrary shell execution if that metadata is attacker-controlled or comes from an untrusted repository. In this skill’s context, the tool is explicitly designed to inspect and verify arbitrary projects, so running discovered commands silently materially increases the risk of executing malicious install/test payloads during analysis.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script silently invokes multiple external tools (`npx`, `pytest`, `cargo`, `go`, `swift`) against the target project with output redirected away, which can execute untrusted project code, hooks, plugins, and dependency-resolved binaries without user visibility. Because this skill is meant for auditing/building arbitrary codebases, hidden execution of project-controlled test workflows is more dangerous than in a fixed internal CI script.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script executes a dynamically detected test command via `bash -c "$TEST_CMD 2>&1"`, where `TEST_CMD` originates from project-controlled metadata returned by `detect-stack.sh`. In a security-audit/verification skill, scanning an untrusted repository can therefore trigger arbitrary shell command execution without warning or consent, making this especially dangerous because the tool is expected to inspect potentially adversarial codebases.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script executes a detected test command derived from project analysis without any explicit user confirmation or safety gate. In an agent-skill context, running repository-controlled test commands can execute arbitrary code from an untrusted project, which is dangerous because test runners and package scripts routinely have full code execution side effects.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This branch performs subprocess-based execution of project tests and analyzers without clearly disclosing that repository code will be run. Because this skill is designed to analyze arbitrary user projects, executing build/test commands increases risk: a malicious repository can embed harmful code in tests, build hooks, or tool configuration and gain command execution in the agent environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script intentionally performs in-place mutation of project source files and then attempts to restore them, but it does so without an explicit warning, confirmation, or strong safety guardrails. In an agent/automation context, modifying user code on disk can cause data loss or repository corruption if the script is interrupted, crashes mid-run, or concurrent processes observe the mutated files.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script executes a dynamically detected test command using `bash -c "$TEST_CMD"`, where `TEST_CMD` is derived from project analysis rather than a fixed allowlisted command. In an agent setting that scans arbitrary repositories, a malicious project can influence the detected command and trigger arbitrary shell execution, making this more dangerous than a normal local developer helper script.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script creates `.wreckit/property-stubs` files inside the target project automatically when no property tests are found, without prior explicit consent. In an automated agent workflow, silent writes to a user repository can modify source state, pollute commits, or be abused to plant misleading test artifacts, especially when operating on untrusted or production codebases.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs shell execution of a dynamically constructed command without any user confirmation, warning, or indication that repository-controlled test commands may run. That omission increases the likelihood of accidental execution of unsafe commands from untrusted projects, especially because the skill markets itself as a verification/audit tool that users may point at arbitrary code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal