ClawHub

Nvidia Agent Fleet

Security checks across malware telemetry and agentic risk

Overview

This NVIDIA model-dispatch skill mostly matches its stated purpose, but it automatically searches local credential stores and executes the user's shell startup file to find an API key.

Review before installing. Prefer setting NVIDIA_API_KEY explicitly in the current environment, avoid relying on auto-discovery, and do not place secrets or private code in prompts because normal use sends task content to NVIDIA's API. The VirusTotal status was pending and was not used as a negative signal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.path.exists(zshrc):
        try:
            import subprocess
            result = subprocess.run(
                ["bash", "-c", f"source {zshrc} && echo $NVIDIA_API_KEY"],
                capture_output=True, text=True, timeout=5
            )
Confidence
98% confidence
Finding
result = subprocess.run( ["bash", "-c", f"source {zshrc} && echo $NVIDIA_API_KEY"], capture_output=True, text=True, timeout=5 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises capabilities that imply shell, file, environment, and network access, yet declares no permissions. That creates a transparency and consent failure: users may invoke a seemingly harmless orchestration skill without realizing it can read local files, inspect environment variables, and make external calls. In the context of an agent fleet, these capabilities materially increase the blast radius if the skill is misused or compromised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
The documented behavior goes beyond model dispatching and includes credential discovery from sensitive local sources such as shell startup files and OpenClaw configs, plus runtime environment modification. This mismatch is dangerous because users evaluating the skill by its stated purpose would not reasonably expect local secret harvesting behavior, and shell-based parsing of ~/.zshrc is especially risky because it can execute arbitrary commands embedded in that file.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Reading credentials from shell config files and application config files is broader than what a multi-agent dispatcher inherently needs. Even if intended for convenience, this expands the trust boundary into user-local secret stores and can expose unrelated credentials or sensitive configuration data if parsing is overly broad or logs/errors leak contents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The dispatcher searches broadly for credentials in environment variables, shell startup files, and unrelated local config files, then reuses any discovered key automatically. This is dangerous because it expands the trust boundary, accesses secrets the user did not explicitly provide for this tool, and may unintentionally exfiltrate them via later API calls or child processes.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module presents itself as a scheduler/dispatcher, but it also performs hidden secret discovery from shell and local config files. This mismatch is security-relevant because users are less likely to anticipate credential harvesting behavior from a component whose stated purpose is task routing, reducing informed consent and making misuse harder to detect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes automatic API key discovery from local files but gives no user-facing warning that secrets will be accessed. Lack of notice undermines informed consent and makes accidental exposure more likely, especially in shared or enterprise environments where shell/config files may contain additional sensitive data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill automatically reads NVIDIA credentials from local files and shell config without any user-facing warning or confirmation. Even if intended as convenience, silently collecting secrets from multiple locations is unsafe because users may not realize the tool is accessing sensitive local state beyond the current process environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User task content is sent to `https://integrate.api.nvidia.com/v1` for processing, but the dispatcher does not provide an execution-time privacy warning or confirmation. This can expose sensitive prompts, code, data, or internal information to a third-party service unexpectedly, especially in an agent framework where users may assume local routing rather than remote transmission.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented API-key auto-discovery instructs the skill to obtain secrets from user-local sources, including shell configuration files. This is dangerous because such files can contain multiple secrets beyond the intended key, and any mechanism that reads or executes them can lead to credential exposure, unintended command execution, or exfiltration through downstream network calls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal