ClawHub

Jits Builder

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it needs review because it publicly exposes generated local apps and runs an unverified Cloudflare tunnel binary from /tmp with weak input controls.

Install only if you intentionally want generated mini-apps to become publicly reachable through Cloudflare tunnel URLs. Do not use it with secrets, private business data, or unsafe generated code. Prefer a hardened version that verifies cloudflared from an official source outside /tmp, validates app names and ports, asks before public deployment, offers local-only mode, and automatically cleans up running apps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The comment says the command creates a tunnel, but in practice it publishes a local service through Cloudflare and saves the resulting public URL for later use. That external exposure is materially more sensitive than the comment suggests, and operators may invoke it without understanding they are making a local app reachable from the internet.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises deploying generated apps to a public Cloudflare tunnel but does not warn users that the resulting app may be internet-accessible and could expose sensitive data, generated content, or insecure code. In the context of an agent that builds arbitrary mini-apps on demand, this omission increases the chance that users publish internal or unsafe applications without understanding the security implications.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill advertises activation through broad, everyday phrases like "Build me" and "I need," which are common in normal conversation and can unintentionally trigger app generation. In this skill, accidental activation is more dangerous because generation is followed by writing files to disk and exposing the result via a public Cloudflare tunnel, increasing the chance of unintended public exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill describes generating HTML, saving it under /data/clawd/jits-apps, serving it locally, and creating a Cloudflare tunnel, but it does not clearly warn users that this produces a publicly reachable URL and persists generated content on disk. That omission undermines informed consent and can lead users to expose sensitive prompts, embedded data, or generated content to the internet without realizing it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code creates a public Cloudflare tunnel to a localhost service without any disclosure, access control, or confirmation step. If the served application contains sensitive data or unsafe functionality, this silently converts a local-only service into an internet-accessible one, increasing the attack surface substantially.

Vague Triggers

Low
Confidence
86% confidence
Finding
The package description advertises a very broad capability to build and deploy mini-apps from generic voice or text descriptions, without any stated scope limits, safety boundaries, or trigger constraints. In an agent ecosystem, overly broad descriptions can cause the skill to activate for common development requests and perform sensitive actions such as code generation or deployment in contexts the user did not explicitly intend.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal