ClawHub

pctx — MCP Aggregation & Code Mode

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about being an MCP gateway, but it gives agents broad, persistent access to local tools and GitHub/Linear-style credentials without clear guardrails.

Install only if you trust the publisher and the upstream MCP servers, and use narrowly scoped GitHub/Linear tokens. Review every MCP added to the gateway, avoid untrusted npx/npm or remote MCP endpoints, and stop or remove the launchd daemon when you no longer need the local MCP service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill is presented as an MCP aggregation layer for specific backends, but it also exposes generic commands to add arbitrary upstream MCP servers via local binaries, npm/npx, or remote HTTP endpoints. That broadens the trust boundary significantly and could let an agent connect to unreviewed servers or execute untrusted packages, creating supply-chain and data-exfiltration risk beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The documented daemon lifecycle and installation commands grant broader host-management capability than the skill description implies. Exposing install/start/stop/restart behavior to agents increases the chance of unintended system modification, persistence changes, or service disruption on the local machine.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The install command performs broad system modification by invoking Homebrew and global npm installs, which exceeds a simple wrapper's core role and can materially change the host environment. In an agent skill context, this is dangerous because an automated agent may trigger package installation without explicit user approval, introducing supply-chain risk and unintended persistence of tools on the machine.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The rollback section includes package removal and recursive deletion of configuration and launch-agent files without an explicit danger banner or confirmation guidance. In an agentic context, terse destructive commands can be copied or executed automatically, causing avoidable local data loss or service removal.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The install routine modifies the system by installing packages and global npm dependencies without any warning, consent step, or dry-run mode. For an agent-operated skill, silent environment changes are risky because they can surprise users, alter trusted tooling, and pull executable code from external registries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal