ClawHub

Linux Security Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Linux security audit skill, but it needs Review because it can run recurring privileged SSH actions, collect sensitive server data, query third-party CVE services, and email security reports.

Install only if you intentionally want a recurring, multi-server security automation skill with SSH access. Before enabling it, restrict the server list, avoid shared root keys where possible, review the auto-action whitelist, disable or narrow APPROVE ALL, confirm email recipients, and decide whether package inventories and findings may be sent to OSV.dev, CISA/NVD, and email systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (25)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill declares that all operations must go through SSH MCP and explicitly forbids local execution, yet the CVE scan section performs local curl requests and writes scan artifacts on the guardian host. This mismatch can bypass the intended trust boundary, expose local secrets/filesystems to unintended processing, and make operators believe execution is remote-only when it is not.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The profile explicitly enables multiple system-modifying auto-remediation actions such as restarting security services and locking accounts, but does not require user confirmation, approval gates, or clear scoping constraints. In an audit workflow that runs across multiple clients and servers, this increases the risk of unintended changes, service disruption, or an attacker influencing the agent to perform state-changing actions automatically.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The module instructs inspection of highly sensitive account and authentication data such as /etc/passwd, /etc/shadow, sudoers, and login history without clearly warning that these commands require elevated privileges and expose sensitive information. In an agent skill context, that increases the risk of over-collection, accidental disclosure, or running privileged enumeration on systems without informed operator approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill recommends auto-actions such as 'passwd -l' and 'usermod -L' that can immediately disable user access, but it does not require confirmation, scope validation, rollback guidance, or an explicit warning about operational impact. In an automated agent workflow, this can cause unintended lockouts of legitimate or privileged accounts and create service disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module explicitly authorizes an in-place auto-fix to sshd configuration using sed, but the description does not include a clear user-facing warning about service disruption, lockout risk, need for backup, validation, or restart/reload implications. In an SSH hardening context, modifying authentication-related settings can immediately cut off remote administrative access or break connectivity if applied incorrectly or without verifying current access methods.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The skill text recommends 'AUTO-START' for fail2ban without an explicit warning, approval gate, or change-control note. In an agentic context, normative remediation language can cause downstream automation to make an unreviewed system change, which may disrupt access or violate operational policy.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module instructs the agent to automatically enable and start auditd when it is not running, which changes system state during what is framed as an audit workflow. In a security-audit skill, undocumented or insufficiently gated remediation steps are risky because they can alter boot persistence and service behavior without explicit operator approval or environment validation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The module instructs the agent to write scan reports and advisory files into the workspace without any explicit user consent, dry-run mode, or warning that repository contents will be modified. In an audit skill, silent file creation can unexpectedly alter a checked-out repo, pollute working trees, or overwrite existing artifacts, which is especially risky in automated agent workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes enriching findings with external services from the remote server but does not warn that installed package names and versions may be transmitted to third parties. Package/version inventories can reveal sensitive software stack details that aid fingerprinting, targeting, and compliance/privacy violations if sent off-host without user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module instructs an automatic state-changing fix (`chmod 1777 /tmp`) as part of an audit skill. Even though the permission value is commonly correct for `/tmp`, performing remediation automatically from a scanning/audit module can unexpectedly modify a live system and may break hardened configurations or change evidence during an investigation.

Vague Triggers

Low
Confidence
84% confidence
Finding
The cron entry delegates execution to another skill file with no documented invocation guardrails, scope restrictions, or operator approval requirements, despite the workflow performing SSH access, automated remediation, and email delivery. In a permanent scheduled context, weak invocation constraints increase the chance of unintended broad execution, misuse of privileged audit actions, or repeated autonomous changes across all client servers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The purpose text mentions auto-fixing safe issues and emailing reports, but it does not present these as prominent high-risk behaviors with clear warnings about autonomous modification of remote systems and external transmission of potentially sensitive security findings. Because the skill targets multiple client Linux servers via SSH on a recurring schedule, insufficiently explicit disclosure can lead to unsafe deployment, surprise remediation in production, and leakage of sensitive audit data through email workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script uploads a batch of installed package names and versions to OSV.dev, which is an external third party. While this is functionally aligned with vulnerability scanning, it still discloses environment inventory data without explicit opt-in, consent, or a prominent warning, which can expose software stack details and create privacy/compliance issues.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script sends package/product keyword queries to the NVD API without an explicit user-facing warning that external requests are being made. The transmitted data is less sensitive than full package inventory, but it still reveals scanning behavior and may have compliance or operational implications in restricted environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow compiles per-server, per-client, and master reports and sends them via an email plugin, potentially transmitting sensitive security findings, host details, and vulnerability data off-system. Failing to disclose this data-transmission behavior in the description creates privacy and data-handling risk, especially in a multi-client environment where reports may contain confidential infrastructure information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow compiles per-server, per-client, and master reports and sends them via an email plugin, potentially transmitting sensitive security findings, host details, and vulnerability data off-system. Failing to disclose this data-transmission behavior in the description creates privacy and data-handling risk, especially in a multi-client environment where reports may contain confidential infrastructure information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The hook explicitly instructs sending compiled audit report bodies by email, which can transmit sensitive security findings, client identifiers, server details, and operational metadata over an external channel without any requirement for user consent, minimization, or privacy warning. In a security-audit context, this is risky because reports often contain high-value information, and the skill also hard-codes a sender domain and recipient lookup flow without any guardrails on classification or approved destinations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The hook accepts a highly privileged bulk command, "APPROVE ALL", that can trigger execution of every pending action, and the trigger is defined in a broad natural-language way rather than as a tightly authenticated, structured confirmation flow. In this skill's context, approval leads to SSH-based remote execution and file state changes, so an accidentally matched owner message or ambiguous parsing could authorize multiple destructive operations at once.

Missing User Warnings

High
Confidence
90% confidence
Finding
The approval path performs sensitive operations—reading an action spec, connecting over SSH to a target server, executing actions, and moving audit files—without any explicit warning in the skill text that approval authorizes remote execution and persistent state changes. That omission increases the chance of uninformed or mistaken approvals, which is especially dangerous because the hook turns a simple reply into privileged server-side actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The hook instructs immediate email transmission of critical security findings and references logging outcomes without any notice, minimization, or handling constraints for potentially sensitive hostnames, IPs, vulnerability details, and remediation instructions. In a security automation context, this creates a real data exposure risk because sensitive incident data may be sent to unintended recipients or retained in systems without explicit consent or safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fallback behavior writes alert information to AUDIT_LOG.md, which may persist sensitive security findings on disk without specifying file permissions, storage location, redaction, or retention limits. That is dangerous because local logs often have broader access than intended and can later expose exploitable vulnerability data, internal host details, or response actions.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Rule 5 — Auto-Actions Whitelist Only

Agent can ONLY auto-execute actions listed in SERVER_PROFILE.md under `Auto-Actions Allowed`.
Anything not explicitly whitelisted → queue for confirmation.
No exceptions. Owner preference > agent judgment.
Confidence
89% confidence
Finding
auto-execute

Credential Access

High
Category
Privilege Escalation
Content
| Module | What it checks | SSH MCP Command |
|--------|---------------|-----------------|
| `01-system` | OS, kernel, uptime, last reboot, hardware | `ssh_exec(op="run", sessionId, command="uname -a; cat /etc/*release")` |
| `02-users` | Accounts, root access, sudo, empty passwords, inactive | `ssh_exec(op="run", sessionId, command="cat /etc/passwd; cat /etc/shadow; ...")` |
| `03-ssh` | sshd_config full audit — 20+ checks | `ssh_exec(op="run", sessionId, command="cat /etc/ssh/sshd_config")` |
| `04-auth` | Login history, failed logins, PAM config | `ssh_exec(op="run", sessionId, command="last; cat /var/log/auth.log")` |
| `05-services` | Running services, unnecessary ones, failed units | `ssh_exec(op="run", sessionId, command="systemctl list-units ...")` |
Confidence
91% confidence
Finding
/etc/passwd

Credential Access

High
Category
Privilege Escalation
Content
| Module | What it checks | SSH MCP Command |
|--------|---------------|-----------------|
| `01-system` | OS, kernel, uptime, last reboot, hardware | `ssh_exec(op="run", sessionId, command="uname -a; cat /etc/*release")` |
| `02-users` | Accounts, root access, sudo, empty passwords, inactive | `ssh_exec(op="run", sessionId, command="cat /etc/passwd; cat /etc/shadow; ...")` |
| `03-ssh` | sshd_config full audit — 20+ checks | `ssh_exec(op="run", sessionId, command="cat /etc/ssh/sshd_config")` |
| `04-auth` | Login history, failed logins, PAM config | `ssh_exec(op="run", sessionId, command="last; cat /var/log/auth.log")` |
| `05-services` | Running services, unnecessary ones, failed units | `ssh_exec(op="run", sessionId, command="systemctl list-units ...")` |
Confidence
91% confidence
Finding
/etc/shadow

Tool Parameter Abuse

High
Category
Tool Misuse
Content
## Auto-Actions That Are ALWAYS Safe
(From SERVER_PROFILE.md whitelist only)
- `chmod 1777 /tmp` — /tmp permissions
- `systemctl start auditd` — start audit daemon
- `systemctl start fail2ban` — start fail2ban
- `passwd -l <user>` — lock empty-password account
Confidence
93% confidence
Finding
chmod 1777

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal