ClawHub

Clawshorts Pkg

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: run a local Fire TV Shorts limiter, with some local safety caveats but no evidence of deception, data theft, or destructive intent.

Install only if you want a background local daemon that can control YouTube on configured Fire TV devices over ADB. Use it on a trusted home network, review the auto-start service it creates, and avoid sharing logs because they can include device IPs and viewing-status details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        subprocess.run(["launchctl", "stop", "com.fink.clawshorts"], timeout=5)
        time.sleep(1)
        subprocess.run(["pkill", "-9", "-f", "clawshorts-daemon.py"], timeout=10)
        time.sleep(1)
    except subprocess.TimeoutExpired:
        _log("Kill command timed out")
Confidence
83% confidence
Finding
subprocess.run(["pkill", "-9", "-f", "clawshorts-daemon.py"], timeout=10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Start the daemon for the given IP."""
    try:
        daemon_out = STATE_DIR / "daemon.log"
        subprocess.Popen(
            [sys.executable, str(DAEMON_SCRIPT), ip],
            stdout=open(daemon_out, "a"),
            stderr=subprocess.STDOUT,
Confidence
87% confidence
Finding
subprocess.Popen( [sys.executable, str(DAEMON_SCRIPT), ip], stdout=open(daemon_out, "a"), stderr=subprocess.STDOUT, start_new_session=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
capture_output=True,
            timeout=15,
        )
        pull_result = subprocess.run(
            ["adb", "-s", device_id, "pull", "/sdcard/ui.xml", "/tmp/verify-ui.xml"],
            capture_output=True,
            timeout=10,
Confidence
89% confidence
Finding
pull_result = subprocess.run( ["adb", "-s", device_id, "pull", "/sdcard/ui.xml", "/tmp/verify-ui.xml"], capture_output=True, timeout=10, )

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This health-check script has local process-killing, service-stopping, and process-spawning capabilities, which are broader than the user-facing description of managing YouTube Shorts limits on a Fire TV. In skill context, hidden host-level control increases risk because compromise or misuse of the skill affects the local machine, not just the target Fire TV behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script contains host-level install, uninstall, and persistence-management capabilities that go beyond merely checking or configuring Shorts limits on Fire TV devices. In an agent context, these commands can modify the operator's workstation by creating symlinks, service definitions, and auto-start behavior, which expands the trust boundary and creates unnecessary persistence risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script can install ADB through apt-get or Homebrew, including use of sudo on Linux, even though the stated purpose is managing Shorts limiting on Fire TV devices. Allowing an agent skill to install packages on the host broadens impact from device management to arbitrary host modification and privilege escalation prompts.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The CLI implements capabilities beyond the skill’s stated purpose, including multi-device administration, device enable/disable, removal, and local history/log inspection. In an agent setting, this expands the authority surface and can enable unintended actions or disclosure of local operational data that a user did not explicitly authorize when invoking a Shorts-management skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The logs command reads and prints a local daemon log file from the user’s home directory without any access control or redaction. Log files often contain device identifiers, IPs, errors, stack traces, and other sensitive local context, so exposing them through a skill creates an unnecessary data-disclosure path unrelated to the core Shorts-limiting function.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The install and uninstall flows write persistent files under LaunchAgents/systemd user directories, create symlinks, and enable services without presenting a clear warning about these changes at the time they occur. In an agent setting, silent persistent changes reduce user awareness and can lead to unintended background execution on the host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reset command can reset quotas for all devices when no IP is provided, and it performs this destructive state change immediately without an explicit confirmation prompt. In an agent workflow, argument omission or ambiguity could cause unintended bulk resets, undermining enforcement and destroying usage state across devices.

Unvalidated Output Injection

High
Category
Output Handling
Content
capture_output=True,
            timeout=15,
        )
        pull_result = subprocess.run(
            ["adb", "-s", device_id, "pull", "/sdcard/ui.xml", "/tmp/verify-ui.xml"],
            capture_output=True,
            timeout=10,
Confidence
87% confidence
Finding
subprocess.run( ["adb", "-s", device_id, "pull", "/sdcard/ui.xml", "/tmp/verify-ui.xml"], capture_output

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal