ClawHub

run.dev — Local Dev Environment Manager

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate local development tool, but it asks users to run an unpinned remote installer that makes privileged system changes and under-discloses AI log handling.

Review this before installing. Inspect the remote install script and source repository first, confirm the sudoers helper is narrowly limited and removable, understand the port-forwarding and certificate changes, and avoid AI diagnosis on logs that may contain tokens, customer data, or proprietary details unless you have verified what is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill states that 'code and logs never leave the machine' while also documenting a configurable Claude proxy endpoint and HTTP client usage for crash diagnosis and live debugging. That is a misleading privacy/security claim: once logs or contextual data are sent to a proxy, they may leave the local process boundary and potentially the machine or trusted environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The AI crash-diagnosis/debugging feature is described without a clear warning that service logs, stderr, and runtime context may be sent to the configured Claude proxy. In a local dev manager, those logs can contain secrets, tokens, internal URLs, stack traces, or proprietary code paths, so the omission meaningfully increases risk of unintended data disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal