ClawHub

Free Resource

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its media-search purpose, but it includes under-documented original-download behavior and broad URL-to-file download commands that deserve review before use.

Install only if you are comfortable giving the skill API keys for the listed media services and letting it write files to paths requested by the agent. Prefer using provider search results as download sources, avoid arbitrary or private-network URLs, choose non-sensitive output folders, and review Freesound licensing before using original-file downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The code implements `download-original`, which attempts to fetch full original files even though the help text presents downloads as preview-only. This hidden capability increases the skill’s effective access to copyrighted or larger media assets and may cause downstream agents or users to retrieve content they did not expect the tool to handle.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The help output omits the implemented `download-original` command and describes download behavior as preview-only, creating a documentation/behavior mismatch. Hidden or undocumented functionality is dangerous because it reduces operator awareness, impairs review, and can conceal higher-impact actions from normal usage and auditing paths.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The download command accepts an arbitrary user-supplied URL and writes the response to an arbitrary user-supplied local path without validation, overwrite checks, or path restrictions. In an agent context this can be abused for SSRF-style network access to unintended hosts and for clobbering local files, especially if the agent executes with broad filesystem permissions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal