ClawHub

优云智算GPU管家

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real CompShare GPU management skill, but it gives the agent broad cloud and root SSH control with limited safeguards, so it should be reviewed before installation.

Install only if you intend to let the agent manage your CompShare account and administer the resulting GPU servers over SSH. Use least-privilege API keys, avoid putting passwords in shell history or shared logs, verify every instance ID and SSH target, and require explicit approval before delete, reset-password, remote exec, file deletion, chmod, upload/download, or shell use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This section documents capabilities far beyond instance CRUD, namely end-to-end SSH administration and file operations on remote machines. Such scope expansion materially changes the trust boundary from cloud API management to full control over guest operating systems and data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Arbitrary SSH command execution and interactive shell access enable unrestricted actions on remote instances, including persistence, lateral movement, data exfiltration, and destructive changes. Because these capabilities are not necessary for the declared purpose, they create unnecessary and under-disclosed risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
SSH-based upload, download, deletion, rename, chmod, and directory management provide broad remote file-system control that can alter workloads, expose sensitive data, or destroy evidence and user files. These actions exceed the declared cloud instance-management scope and therefore increase the risk of misuse or accidental harm.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it manages GPU instance lifecycle, but the reference adds a broad SSH administration surface including remote command execution, file upload/download, shell access, permission changes, and deletion operations. This materially expands capability from infrastructure control into arbitrary post-provision host control, increasing the risk of unauthorized code execution, data exfiltration, and destructive actions beyond what users would expect from the manifest.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements a general-purpose SSH administration client with command execution, interactive shell, and file-transfer features, while the declared skill scope is limited to GPU instance lifecycle management. This creates a substantial capability expansion: anyone invoking the skill can move from managing instance state to operating inside the instance itself, increasing the blast radius from control-plane actions to full guest-OS compromise.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The execute() method exposes arbitrary remote command execution over SSH using credentials supplied to the tool. In the context of an agent skill, this enables unrestricted code execution on target instances, allowing data theft, malware deployment, persistence, destructive actions, or lateral movement far beyond the stated lifecycle-management purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The interactive shell provides full terminal access to the remote instance, effectively handing the caller unrestricted administrative control. Within a skill whose stated purpose is instance lifecycle management, this is unjustified high-risk functionality that can be used to execute arbitrary commands, modify system state, exfiltrate secrets, and evade higher-level guardrails.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script includes broad remote filesystem read/write, rename, chmod, upload, and download capabilities that are not necessary for basic instance lifecycle management. These functions enable tampering with remote systems, secret exfiltration, malware staging, and destructive changes to both remote and local filesystems, significantly increasing operational and security risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes destructive instance deletion and remote file deletion flows without clear warnings about irreversibility, service disruption, or data loss. In an automation context, missing safety prompts materially increases the chance of accidental destructive operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to handle API keys and SSH passwords and even notes that passwords can be retrieved from instance listings, but provides only minimal guidance on secure storage and secret exposure. That creates a meaningful risk of credential leakage through config files, shell history, logs, screenshots, or misuse of returned passwords.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells operators to retrieve and reuse instance passwords directly, without sensitivity warnings or safer credential-handling guidance. In this skill context, those passwords grant direct access to provisioned GPU hosts, so casual handling meaningfully increases credential leakage risk through logs, transcripts, screenshots, or operator error.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The SSH command list documents destructive file operations such as rm and rmdir without warning about irreversibility, target validation, or confirmation expectations. Because these actions run on remote GPU instances and may be used by an agent, omission of safeguards increases the chance of accidental or manipulated destructive behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reinstallation is documented as a routine action without warning that it can overwrite the system environment and destroy existing state. In an infrastructure-management skill, underemphasizing the destructive nature of reinstall materially raises the risk of accidental data loss or malicious social engineering through seemingly benign requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The delete command directly invokes instance termination with no interactive confirmation, dry-run mode, or secondary safety check. In an infrastructure-management skill that can destroy GPU instances, a mistaken invocation, ambiguous user prompt, or agent misinterpretation can cause irreversible service disruption or data loss.

Ssd 3

Medium
Confidence
97% confidence
Finding
The guide explicitly states that instance query results include SshLoginCommand and Password and encourages operational reuse of them. This normalizes plaintext credential exposure in a context where transcripts, tool logs, or agent memory may retain sensitive secrets, increasing compromise risk.

Ssd 3

Medium
Confidence
99% confidence
Finding
Passing passwords directly on the command line is dangerous because shell history, process listings, telemetry, CI logs, and agent traces can capture them. In this skill, those credentials unlock root-level access to remote GPU instances, so exposure can quickly lead to full host compromise and data theft.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal