ClawHub
Back to skill

Security audit

Promotion Apply Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with managing banner promotions, but it needs Review because it can change real promotion/admin state and its helper scripts can automatically install packages while processing images.

Install only in a controlled environment where the agent is expected to use internal MWS credentials and manage real promotions. Preinstall and pin Pillow and requests instead of allowing runtime pip installs, restrict image URLs to trusted sources where possible, and require explicit user intent before create/copy/update/status/admin actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (16)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from PIL import Image
except ImportError:
    print("Installing Pillow...", file=sys.stderr)
    os.system(f"{sys.executable} -m pip install Pillow requests -q")
    from PIL import Image

try:
Confidence
94% confidence
Finding
os.system(f"{sys.executable} -m pip install Pillow requests -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import requests
except ImportError:
    print("Installing requests...", file=sys.stderr)
    os.system(f"{sys.executable} -m pip install requests -q")
    import requests
Confidence
94% confidence
Finding
os.system(f"{sys.executable} -m pip install requests -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from PIL import Image
except ImportError:
    print("Installing Pillow...", file=sys.stderr)
    os.system(f"{sys.executable} -m pip install Pillow -q")
    from PIL import Image
Confidence
95% confidence
Finding
os.system(f"{sys.executable} -m pip install Pillow -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import requests
        except ImportError:
            print("Installing requests...", file=sys.stderr)
            os.system(f"{sys.executable} -m pip install requests -q")
            import requests
        response = requests.get(path_or_url, timeout=30)
        response.raise_for_status()
Confidence
97% confidence
Finding
os.system(f"{sys.executable} -m pip install requests -q")

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to use shell commands, read local/reference files, and access networked services, yet no explicit permission declaration is present. That creates a capability/consent mismatch where a caller may invoke a highly privileged workflow without clear sandboxing or policy review, increasing the risk of unintended command execution, data access, or external writes.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes identity-management behavior by directing use of admin-get/admin-add and deriving administrator lists from chat participants. This expands the blast radius beyond banner promotion CRUD into access-control changes, so prompt confusion or misuse could grant unauthorized users ongoing access to promotions.

Context-Inappropriate Capability

Low
Confidence
77% confidence
Finding
The skill handles NOS token acquisition and direct object-storage upload even though the headline purpose is banner promotion operations. Storage-token handling broadens capabilities to external file transfer and can expose sensitive assets or enable unintended uploads if the skill is triggered on untrusted inputs.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The helper script performs package installation and shell execution, which is broader than expected for a banner-promotion image resize utility. In this skill context, such behavior is not justified by the declared functionality and increases supply-chain and execution risk without clear operational need.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script fetches arbitrary HTTP/HTTPS content from a user-supplied URL, which can be abused for SSRF-style network access, unexpected outbound requests, or downloading malicious payloads disguised as images. Because the skill is for banner-promotion management rather than generic network retrieval, this broader capability is riskier in context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script can both install packages and fetch arbitrary remote URLs, capabilities that exceed the stated purpose of validating image dimensions. In the context of a banner-promotion skill, this is more dangerous because user-supplied asset references may trigger outbound requests, SSRF-like access to internal resources, or unapproved environment changes in an agent runtime.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The docstring describes a pure image-size validation utility, but the implementation also performs package installation and network access. This mismatch is dangerous because reviewers and operators may underestimate the script's privileges and side effects, leading to unsafe execution in trusted workflows.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description includes broad everyday phrases such as query/copy/create/modify/configure banner/material, making accidental invocation more likely. Because this skill performs write actions, uploads, and admin changes, overbroad triggering can cause high-risk operations to start from ambiguous user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically installing packages without prior approval or deployment-time control executes code from external sources during normal operation. This weakens change control and can introduce malicious or unexpected dependency behavior into an environment handling production tasks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This package auto-install path repeats the same unsafe pattern: runtime retrieval and execution of external code without user confirmation or administrative control. In an operational skill, that behavior is inconsistent with secure software supply-chain practices and can lead to compromise if the package source is tampered with.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically installing Pillow without explicit user consent or deployment-time control introduces unreviewed code into the environment. This creates supply-chain risk and operational unpredictability, especially inside agent or CI systems where scripts are expected to validate data, not modify the host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently installs requests if absent and then performs outbound HTTP(S) fetches based on the provided argument. In a banner asset workflow, that can expose internal network access, leak metadata through requests, and surprise operators who expect an offline validation step.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal