ClawHub

Skill 4

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward website uptime checker that makes disclosed requests to URLs the user provides.

Install this only if you want the agent to be able to make outbound website checks. Provide only URLs you are authorized to test, and avoid internal, private admin, localhost, or cloud metadata URLs unless that access is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation clearly describes outbound HTTP requests to arbitrary URLs, which is a network capability, yet no permissions are declared. Undeclared network access weakens user awareness and policy enforcement, and could allow the skill to be invoked in contexts where external communication was not expected.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase "check website" is broad enough to match many ordinary user requests that may not specifically intend to invoke this skill. Over-broad activation can cause unintended execution of a network-capable tool, leading to surprise outbound requests or misuse in unrelated conversations.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The trigger phrase "ping website" is ambiguous because users may mean a casual connectivity check, troubleshooting guidance, or metaphorical contact rather than execution of this specific skill. In a skill that performs network requests, ambiguous routing increases the chance of accidental invocation and unintended external access.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal