ClawHub

Cluster

Security checks across malware telemetry and agentic risk

Overview

This is a local clustering tool whose file access and saved history are disclosed and fit its stated purpose.

Install only if you are comfortable running a local bash/Python script and storing clustering history in ~/.cluster. Avoid using highly sensitive datasets unless local retention of file paths, assignments, centroids, and metrics is acceptable, and manually delete ~/.cluster data when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes use of environment variables and persistent writes to `~/.cluster/data.jsonl` and `~/.cluster/config.json`, but the skill declares no permissions. That creates a transparency and consent problem: an agent or user may invoke a skill that reads user-supplied paths and writes persistent local data without an explicit permission boundary, increasing the risk of unintended data exposure or unsafe file interactions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script persistently creates and maintains a local datastore and config under ~/.cluster, which goes beyond one-shot clustering and expands the skill into stateful data management. In an agent setting, this increases data-retention and cross-session exposure risk because potentially sensitive input paths, assignments, centroids, and metrics are stored without explicit consent or retention controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The export command can write run data to an arbitrary filesystem path supplied via OUTPUT, which is broader than necessary for clustering and can overwrite user-accessible files if the agent is induced to choose unsafe paths. Even without privilege escalation, arbitrary file write within the current user's permissions is a meaningful capability expansion.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The import command accepts arbitrary JSON/JSONL and appends it directly into the persistent datastore with no schema validation. This allows datastore poisoning, malformed records, misleading analytics, and persistence of attacker-controlled content that later commands trust as legitimate run data.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The config command permits arbitrary key/value mutation in the on-disk config file rather than limiting updates to a known safe schema. While not immediately leading to code execution, it can alter future behavior in unexpected ways and weakens integrity of the tool's operating parameters.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that clustering runs, parameters, assignments, centroids, metrics, and source input file paths are stored persistently in `~/.cluster/data.jsonl`, but it does not warn that these artifacts may contain sensitive or proprietary dataset information. In a data-analysis context, cluster assignments, metrics, and file paths can reveal business, personal, or research data long after execution, so silent retention raises meaningful privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The run command silently appends clustering results and metadata to a persistent local file, including input_file and derived analysis outputs, without warning the user. In contexts involving sensitive datasets, undisclosed retention can create privacy, compliance, and unintended data-sharing risks across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The import path writes supplied records into the local datastore without prior notice or confirmation, creating persistent side effects from a single command. This is dangerous in agent workflows because imported data may outlive the task and influence later operations unexpectedly.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The config command overwrites the persistent configuration file without warning that the change is durable. This can surprise users and cause subsequent runs to behave differently due to hidden state changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal