ClawHub

AI Agent 自省调试框架

Security checks across malware telemetry and agentic risk

Overview

This debugger is purpose-aligned, but it needs review because it can automatically modify a workspace, change permissions, install npm packages, and send detailed error reports externally.

Install only in a disposable or tightly scoped workspace unless you are comfortable with automatic repairs. Review or modify the skill so file creation, chmod, and npm install require explicit approval, and avoid configuring external webhooks unless error reports are redacted and safe to share.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill metadata declares no required permissions, yet the documentation indicates capabilities consistent with shell or system-level actions such as creating files, fixing permissions, and installing dependencies. This creates a trust and transparency gap: a user or platform may allow the skill under the assumption it is non-invasive, while it can drive system-modifying behavior through code or agent actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill performs privileged system-management actions as part of automatic error handling, including `chmod +x` and `npm install`, via shell execution. In a debugging/self-diagnosis skill, this greatly expands capability from observing/reporting into modifying the host environment, and can be triggered by attacker-controlled error text that influences what path or package gets acted on.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill can send full error reports, including messages and stack traces, to an arbitrary externally supplied webhook URL. That creates an exfiltration path for sensitive local information such as file paths, secrets embedded in errors, internal code structure, or operational details, and this capability is not essential to local debugging.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown advertises automatic file creation, permission repair, and dependency installation without prominently warning that the skill may modify the local system. In an agent setting, self-healing behavior that changes files, permissions, or installed packages can be abused or mis-triggered, leading to unauthorized persistence, privilege misuse, environment tampering, or supply-chain risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automatically creates missing files based on parsed error content without user confirmation. This can alter project state unexpectedly, mask real issues, and potentially write attacker-influenced files if an error message contains a crafted path, especially because only `node_modules` is excluded.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill changes file permissions automatically through a shell command and does so without clear user disclosure or confirmation. Permission changes can make previously non-executable files runnable, weaken local controls, and operate on attacker-influenced paths extracted from error strings.

Missing User Warnings

High
Confidence
98% confidence
Finding
Automatically installing dependencies from parsed error text without user warning is dangerous because it executes package-manager actions that may fetch and run untrusted code or lifecycle scripts. The module name extraction is weak and the action is triggered from error content, making unintended or manipulated installs plausible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill transmits debugging reports to a webhook without clear disclosure of what data is shared. Even when intended for alerting, undisclosed transmission of stack traces and error context can leak sensitive information and violates least surprise for a local debugging component.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal