ClawHub

Operation Quarantine

Security checks across malware telemetry and agentic risk

Overview

This is a defensive local scanner with disclosed optional cloud and alert integrations, so install it only if those privacy tradeoffs fit your use case.

Use the default local-only mode for sensitive email or skill content. Enable LLM analysis or custom webhooks only if you accept sending scanned content or alert summaries to those configured services, and keep the bind host on 127.0.0.1 unless you intentionally expose the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions while clearly requiring environment access, shell execution, and network use. This creates a transparency and governance gap: users and higher-level policy engines may treat it as lower risk than it actually is, leading to unsafe installation or execution decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is defensive scanning, but the documented behavior also includes optional transmission of scanned content to third-party LLM providers, OpenClaw messaging, and custom webhooks, plus network retrieval of skill content. That mismatch can cause users to expose sensitive email or skill contents externally without fully understanding the data flows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The module can exfiltrate alert contents to arbitrary user-configured webhooks or Telegram, which expands the skill from local quarantine analysis into outbound data transmission. Even though this is gated by environment variables and described as optional, the transmitted content may include email metadata, matched suspicious text, and LLM reasoning, which can leak sensitive or attacker-controlled content to third-party services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Direct network alerting is present through fetch calls to Telegram and arbitrary webhook URLs, which is broader capability than a quarantine scanner strictly needs. In this context, the danger is data leakage and misuse of scanned content, especially because quarantine systems process untrusted emails and skill contents that may contain sensitive information or adversarial text.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The function sends full email or skill content to a remote LLM endpoint, and the destination is configurable via environment or caller-provided baseUrl. That means untrusted but potentially sensitive scanned content can be exfiltrated to an arbitrary external service if configuration is changed, compromised, or misused, which is especially risky for a quarantine component expected to contain untrusted data safely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends full skill content to a local quarantine service over plain HTTP without transport protection or any disclosure to the user. Even though the destination is localhost by default, the port is configurable via an environment variable, and local HTTP traffic can be intercepted, redirected, or exposed through port-forwarding, proxies, or container/network misconfiguration.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code pulls API credentials from environment variables and immediately transmits analyzed content to an external LLM service, but there is no indication in this file of any disclosure, consent, or audit control. In a security product that processes emails and skill payloads before they reach the agent, undisclosed third-party transmission materially increases privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal