Back to skill

Security audit

AssetClaw 资产管理系统

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed AssetHub integration, but it gives an agent broad production/admin authority while handling credentials and confirmations unsafely.

Install only if you are comfortable giving the agent production AssetHub authority, including admin and destructive workflows. Use a least-privilege account, override the API URL to HTTPS, avoid placing passwords in the documented /tmp credential file, manually confirm any restore/delete/admin action, and clear both token and temporary credential files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documentation greatly expands from asset workflow assistance into platform administration, backup, configuration, health, and other operational domains. This overbreadth increases attack surface and makes it easier for an agent invocation to drift into sensitive administrative actions unrelated to the advertised purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Database and system configuration management are highly privileged capabilities that are not justified by a normal asset-lifecycle assistant. Exposing them in the same skill creates a path for destructive or persistence-changing operations if the agent is prompted or manipulated.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Backup creation, restore, and tenant-migration operations are operationally sensitive and can cause major confidentiality, integrity, and availability impact. Including them in a general business workflow skill makes accidental or malicious misuse more likely.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
User, role, permission, and department administration exceed the stated purpose and expose identity and authorization control surfaces. In an agent context, this can enable privilege changes, user lifecycle abuse, or unauthorized organizational modifications.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Module enable/disable, rollback, and dashboard configuration are platform-level administrative operations outside the declared business scope. These capabilities can change system behavior or conceal activity, making prompt abuse more dangerous.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs storing user credentials in a local temporary file, but does not provide a strong warning or safer handling model. Local plaintext credential persistence creates clear risk of disclosure through filesystem access, logs, debugging, or later agent misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill supports direct file upload, sharing, OCR, and AI document analysis without prominent warning that document contents are transmitted to backend services. For asset and medical environments, these documents may contain sensitive operational or personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document contains many destructive and high-impact write operations but lacks a general warning that actions can alter or delete production data. In an agent setting, absent warnings increase the chance of accidental destructive execution from ambiguous prompts.

Missing User Warnings

High
Confidence
93% confidence
Finding
Documenting backup restore and backup deletion endpoints without prominent warnings materially increases the chance of catastrophic operator misuse in an agent context, because these actions can overwrite or remove system state. In a skill designed for fast business operations, an agent may treat the reference as approval to invoke these endpoints without adequate human confirmation, causing irreversible data loss or service disruption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
AI and cloud-sync endpoints inherently suggest transmission of user, asset, document, or event data to processing or external synchronization components, yet the reference provides no privacy, residency, retention, or third-party transfer warning. In an agent-integrated environment, this omission can lead users or downstream automations to send sensitive operational data off-system without informed consent or proper controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script loads usernames and passwords from environment variables and from a temporary JSON file in /tmp, which exposes sensitive credentials to local disclosure risks and accidental reuse. In a multi-user or shared-host setting, temp files and process environments can be inspected or mishandled, and the script gives no warning or protection around that credential flow.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persists bearer tokens and session metadata to /tmp/assethub-claw-session.json without setting restrictive file permissions or using a secure storage location. Tokens in world-accessible or guessable temporary paths can be stolen by another local user or process, enabling unauthorized API access under the victim's account.

Missing User Warnings

High
Confidence
98% confidence
Finding
The generic request function can issue POST, PUT, and DELETE requests to arbitrary API paths, and it automatically replays risky write operations when a confirmToken is returned. This defeats the purpose of server-side step-up confirmation and can cause destructive actions to proceed without explicit user intent, especially dangerous in an asset-management skill that handles approvals, disposal, maintenance, and other operational records.

Ssd 3

Medium
Confidence
99% confidence
Finding
Persisting user-provided login credentials to a local session file introduces unnecessary secret retention. Any process or user with access to that file could recover credentials and reuse them beyond the intended session.

Ssd 3

Medium
Confidence
98% confidence
Finding
The repeated instruction to auto-store and reuse credentials normalizes retention of highly sensitive secrets and increases the chance of over-collection. This creates a broader leakage surface and weakens least-retention practices.

Ssd 3

Medium
Confidence
99% confidence
Finding
The quick-start section reinforces writing supplied credentials to a local file for automatic reuse, making insecure secret handling part of the default workflow. Because it is documented as standard behavior, accidental deployment of unsafe storage is likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.