ClawHub

magic-wormhole

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does secure secret transfer, but its examples go beyond that into privileged server/account changes and risky credential handling that users should review before installing.

Install only if you are comfortable reviewing and constraining the examples before use. Use the wormhole transfer portions, but do not let an agent run the server-provisioning, sudoers, authorized_keys, AWS/Git credential-store, or ClawHub-token workflows unless you explicitly requested those actions, verified the target host/account, and have a rollback plan. Prefer short-lived or test credentials, avoid plaintext /tmp or .env storage when possible, and treat wormhole codes as sensitive until redeemed or expired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
This section expands the skill from secret-sharing into broader account provisioning and remote system administration by creating users and setting passwords over SSH. In an agent skill, that scope creep is dangerous because it encourages credential generation, remote account modification, and distribution workflows that exceed the stated purpose and could be misused in production environments.

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The documentation extends into handling live secrets from password managers and SSH private keys, which increases the chance that users transfer or process highly sensitive credentials without sufficient safeguards. In a secret-sharing skill this is contextually plausible, but the examples normalize risky operational patterns beyond simple file transfer and can lead to credential exposure or misuse.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The summary claims tokens never appear in chat logs or audit trails, but multiple examples in the document place secrets into shell commands, stdout, files, and persistent stores. This mismatch is dangerous because users may trust the safety claim and adopt examples that still expose credentials via shell history, terminal scrollback, process inspection, or local audit/logging mechanisms.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The token rotation example prints the old token directly to stdout while the same document advises 'Never Log Tokens.' Exposing a valid or recently valid secret in terminal output can leak it through logs, scrollback, recording tools, shared sessions, or operator copy/paste mistakes.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file is supposed to demonstrate secret sharing with magic-wormhole, but this section expands into full server provisioning and account setup. That scope creep is dangerous because it encourages an agent to perform privileged infrastructure changes that are unrelated to the core skill and could be misused or executed on the wrong host.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section includes root-level user creation and writes a NOPASSWD sudoers entry, which materially increases access on a remote server. In an agent skill, documenting these privileged actions alongside secret transfer creates a path to unintended persistence and privilege escalation far beyond the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The example remotely appends SSH public keys into users' authorized_keys files for multiple accounts. Although sometimes legitimate, this is still a credential-establishment action on remote systems and exceeds the narrow secret-sharing purpose of the skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer persists a PATH change by appending to ~/.bashrc, which alters shell startup behavior beyond a one-time package installation. While adding ~/.local/bin is common for user-level pip installs, silently making persistent profile changes can surprise users and broadens the script's scope in a way that could be abused if the target directory later contains unintended executables.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly tells a human to provide a live ClawHub API token to the agent, but the instruction is not paired with an immediate warning that the token is a sensitive credential or with a safer handling method. In an agent-skill context where skills may have broad access and logs/transcripts may persist, encouraging direct token sharing increases the risk of credential exposure and unauthorized publication or account actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The alternative workflow again normalizes entering or sharing an existing API token without an adjacent warning about exposure through shell history, logs, screenshots, or agent transcripts. Because this is documentation for operational use, omission of secure-handling guidance can directly lead users to expose a valid credential.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes chat-log safety, yet its examples place the wormhole code directly in chat. A wormhole code is effectively an access token for the transfer; if it is logged or observed by another party before redemption, the secret can be intercepted or the transfer disrupted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented receive workflow writes a plaintext API token to `/tmp/token`, which may be readable by privileged users, captured by backups, or remain recoverable after deletion. This undermines the stated goal of minimizing plaintext secret exposure and creates avoidable local disclosure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This workflow repeats the unsafe pattern of storing a received API token in `/tmp/token` without warning about plaintext persistence. Even brief temporary storage can leak secrets through local inspection, crash dumps, filesystem forensics, or operational logging around temp-file handling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The example writes received secrets to /tmp, which is a commonly accessible location and may expose sensitive data through weak permissions, local monitoring, backups, or race/symlink issues. Even with later deletion, transient plaintext storage increases the attack surface for credentials handled by the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Examples that send password-manager contents and SSH private keys lack prominent warnings about the sensitivity and irreversibility of exposing such credentials. This is dangerous because users may copy these patterns for production secrets, resulting in account compromise, unauthorized access, or long-lived key leakage if the transfer endpoint or recipient is mistaken.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Piping received data directly into credential stores or ssh-agent encourages blind trust of unverified input, which can import attacker-controlled secrets or keys into trusted environments. In this context, an attacker who tricks a user into receiving unexpected content could poison credential stores, add unauthorized SSH identities, or trigger downstream misuse without an inspection step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example recommends appending secrets directly into a persistent .env file without warning that .env files are plaintext, commonly over-permissioned, and often accidentally committed, backed up, or exposed through process/runtime tooling. This can lead to long-term secret exposure well beyond the intended one-time transfer flow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples instruct users to save received secrets into password managers, keyrings, or ~/.env without clearly warning that these actions create persistent local credential storage. In a secret-sharing skill, users may assume transfer security extends to storage security, increasing the chance of accidental long-term exposure on shared or unmanaged systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The AWS CLI and Git examples modify long-lived local credential stores but do not clearly warn that the credentials will persist beyond the current session. This is especially risky for automation or agent contexts where the operator may not realize tokens are being written to durable configuration files such as ~/.aws or ~/.git-credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick-reference command appends the received secret directly to ~/.env without formatting safeguards, validation, or warnings. This can corrupt the file format, duplicate entries, accidentally expose raw secret material, or cause later tools to load unintended values from a broadly reused environment file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The privileged workflow performs sensitive changes—creating accounts, installing keys, and granting sudo-like privileges—without strong warnings about authorization, environment validation, rollback, or production risk. That omission increases the chance of accidental misuse by operators or autonomous agents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide sends raw private SSH keys over network tooling but does not clearly disclose the trust assumptions, sensitivity of the material, or the risks of terminal history, process inspection, and mishandling on either endpoint. For a secrets-focused skill, missing privacy caveats materially increases operational risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes to ~/.bashrc without an explicit warning or confirmation immediately before doing so. Even though the change is not inherently malicious, modifying shell startup files without consent creates persistence and can have lasting effects on future shell sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
This section instructs a human to hand a live ClawHub API token to the agent for authentication and publishing, which is a direct request for a usable secret. In the context of agent tooling—where uploaded skills can have broad permissions and interactions may be retained—this creates a real path to credential misuse, account compromise, or unintended publication actions.

Ssd 3

Medium
Confidence
97% confidence
Finding
The next-steps workflow operationalizes secret transfer by telling the human to generate and then provide the API token to the agent. That is unsafe by design because it trains users to disclose long-lived credentials to an automation layer that may not guarantee confidentiality, especially given the document's own warning that skills can be risky and may inherit powerful permissions.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal