ClawHub

Ai Cli Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can automatically route project context and credential-related configuration through multiple external AI command-line tools with weak disclosure and controls.

Install only if you are comfortable with multiple AI CLI providers receiving repository context. Use it first on low-sensitivity projects, avoid .env or secret-bearing diffs in prompts, review or disable automatic fallback, and inspect the generated home-directory config before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims credentials are never sent to external servers, but its documented behavior includes reading project config files, loading context, and passing summaries, diffs, or other task context into third-party AI CLI tools. In practice, that context transfer can include secrets from files, environment-derived data, or sensitive project material, making the assurance misleading and increasing the risk of inadvertent disclosure.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script claims to only scan AI CLI tools and generate config, but it also sources $HOME/.zshrc, which can execute arbitrary shell code and trigger hidden side effects unrelated to scanning. In a security-sensitive skill, implicitly executing a user startup file expands the trust boundary and can run aliases, functions, or commands that alter results or perform unintended actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script actively executes discovered commands with --help, -h, --version, or -v instead of passively checking for their presence. Even seemingly harmless flags can invoke program startup code, plugins, network checks, telemetry, or malicious lookalike binaries found earlier in PATH, so probing tools this way creates execution risk without clear user warning.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script writes ~/.ai-cli-config.json as a side effect without prior disclosure or confirmation, which can overwrite prior user configuration or create persistent state unexpectedly. While the file contents are not directly attacker-controlled here, silent writes to the home directory are still a trust and safety issue for an ostensibly diagnostic script.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal