ClawHub

Cnc

Security checks across malware telemetry and agentic risk

Overview

This is a simple local tracker labeled for CNC use; it stores and edits its own local files and shows no hidden network, credential, or machine-control behavior.

Install only if you want a lightweight local tracker for CNC-related notes or records. Do not rely on it for G-code validation, CNC safety checks, or machine control. Review local data before using remove, and be aware that export writes or overwrites cnc-export.json/cnc-export.csv in the current directory while stored entries remain under ~/.cnc by default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script's behavior does not match the declared CNC machining purpose: it acts as a generic local logging and config utility. This mismatch is dangerous because it can mislead users and reviewers about what the skill actually does, increasing the chance that unrelated data collection or unexpected local file manipulation is trusted and executed under a misleading label.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents a remove command without any warning about deletion scope, confirmation behavior, or recoverability. In a local data-management tool, this can lead to accidental loss of CNC program metadata or records, especially if an agent invokes commands autonomously or a user assumes the action is reversible.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The export command writes stored user data to a file but the documentation provides no notice about destination, overwrite behavior, or sensitivity of exported contents. This can cause unintentional disclosure or clobbering of existing files if users or agents export data into insecure or unexpected locations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal