ClawHub

Skill 1

Security checks across malware telemetry and agentic risk

Overview

This is a QR-code generator with disclosed file output and dependency-install behavior, but users should handle automatic pip installs and WiFi QR files carefully.

Install only where it is acceptable for a skill to create files and potentially install a Python package automatically. For stricter environments, preinstall or pin qrcode[pil] yourself. Choose output paths carefully, and treat WiFi QR codes as secrets because they contain the network password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return qrcode
    except ImportError:
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "qrcode[pil]", "-q"])
        import qrcode
        return qrcode
Confidence
98% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "qrcode[pil]", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates shell execution and file-writing behavior, but the manifest declares no permissions. This mismatch can mislead reviewers and users about the skill's operational scope, reducing scrutiny around commands that write files or invoke package installation paths.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Automatic pip installation introduces network-retrieved code execution and package-management side effects beyond simple QR generation. If triggered implicitly, it can install unpinned or unexpected dependencies, increasing supply-chain and arbitrary code execution risk on the host environment.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A QR generator should only encode user-supplied data, but this code additionally installs software at runtime, which is unrelated to its core function and increases attack surface. This is dangerous because package installation pulls untrusted code and executes package build/install hooks, turning a simple utility into one that can modify the system and run third-party code.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description is broad enough that the skill may be selected for ordinary requests involving links, contact data, or scannable sharing, increasing the chance it runs in contexts the user did not specifically intend. Over-broad triggering is risky here because the skill can write files and may invoke dependency installation behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation demonstrates passing WiFi credentials directly on the command line without warning that secrets may be exposed in shell history, process listings, logs, or generated files. This creates a practical credential-handling risk, especially on shared systems or when commands are copied into transcripts and automation logs.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script installs `qrcode[pil]` automatically without prompting or warning the user, so a simple request to generate a QR code can silently trigger package download and installation. In an agent skill context, this is more dangerous because the caller may not expect side effects on the host system, and automated package installation can violate environment controls or expose the system to supply-chain compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal