ClawHub

Agent Flight Recorder

Security checks across malware telemetry and agentic risk

Overview

This proof-audit skill mostly matches its stated purpose, but it uses bundled/plaintext Cryptowerk credentials and sends file hashes to a remote service without an explicit confirmation step.

Review this before installing if you work with private or regulated files. Use it only for files whose hashes you are comfortable sending to Cryptowerk, keep the skill directory out of source control and backups, restrict permissions on cwconfig.json and .cwseal files, and prefer an environment where each network registration is explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly includes reading local files, writing sidecar artifacts, and making network calls to obtain credentials and interact with Cryptowerk proof APIs. This creates a permission/transparency gap: users and enforcement systems may not realize the skill can access filesystem content and send derived data externally, increasing the risk of unintended data exposure or policy bypass.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code silently provisions API credentials by calling the vendor endpoint with an embedded bootstrap key and then uses the returned credential for subsequent requests, without any user consent or disclosure. That creates an undisclosed outbound authentication flow and effectively embeds a reusable secret in the skill, which can be extracted, abused, or used to enroll agents without the operator understanding what credentials are being created or transmitted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The retrieved credential components are written into cwconfig.json in plaintext via manipulateConfig, with no warning, permission hardening, or secret-management controls. Storing API credential material locally in a predictable file path increases the chance of credential theft through local compromise, accidental inclusion in logs/backups, or source control leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends a file-derived cryptographic hash to a remote API, but there is no explicit user-facing disclosure or consent step in the code path. Even though only the hash is transmitted and the skill’s purpose is proof registration, hashes can still function as persistent identifiers and may reveal file membership or enable correlation across systems, so silent transmission is a real privacy and security concern.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script modifies local file-associated metadata by appending a retrieval ID and timestamp without warning the user or asking for confirmation. In an audit/provenance skill this behavior is functionally expected, but silently mutating artifacts can still violate user expectations, break workflows that assume immutability, or create integrity/privacy issues if metadata is later synced, published, or trusted as untouched.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal