ClawHub

Docs Generator

Security checks across malware telemetry and agentic risk

Overview

The main docs generator is local and mostly as described, but the package also includes an undocumented generic data/logging script that stores user-supplied entries on disk.

Review before installing. Use scripts/docs-generator.sh for documentation templates only, and avoid entering sensitive notes or secrets into scripts/script.sh because it can retain entries and command history in a local data directory. The maintainer should remove the auxiliary utility or clearly document its purpose and storage behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script’s behavior materially contradicts the declared skill purpose: instead of generating documentation, it implements a generic local data collection and logging utility with persistent storage. In an agent skill ecosystem, this kind of functionality mismatch is dangerous because it can mislead users and reviewers about what the skill actually does, enabling covert data collection or misuse under the guise of a benign docs tool.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The inline help explicitly brands the script as a 'Multi-purpose utility tool,' which directly conflicts with the metadata claiming it is a documentation generator. This inconsistency is a red flag because deceptive labeling reduces transparency and can hide unexpected capabilities, increasing the chance that the skill is accepted or executed under false assumptions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal