ClawHub

PansClaw Code

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible PansClaw coding-CLI helper, but it normalizes running an AI coding agent with permission checks disabled and builds an external local binary outside the reviewed package.

Install only if you trust the external PansClaw source tree that will be compiled on your machine. Prefer local Ollama and safer permission modes such as read-only or workspace-write, and avoid the documented full-access or permission-skipping examples unless you are in an isolated disposable project and intentionally accept broad local changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to run shell commands (`cargo build`, `claw`, `ollama list`) but does not declare any corresponding permissions. Undeclared execution capability weakens reviewability and policy enforcement because operators may not realize the skill can build software and invoke local binaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The documented purpose says the skill is for using the PansClaw CLI, but the behavior includes broader operational actions such as building a local binary from a hardcoded path and potentially running additional maintenance or health-check commands. That mismatch is dangerous because reviewers and users may consent to a simple coding assistant workflow without realizing the skill can modify the local system and execute a locally sourced binary.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This configuration explicitly disables permission safeguards by setting `permissionMode` to `danger-full-access` and `dangerouslySkipPermissions` to `true`. In an AI-assisted coding CLI, that means model-directed actions can read, modify, or execute against the local environment without meaningful user approval, greatly increasing the risk of destructive filesystem changes, secret exposure, or unintended command execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The quickstart explicitly instructs users to run the CLI with `--dangerously-skip-permissions`, which disables permission safeguards and allows unrestricted tool execution. In an AI-assisted coding tool, this materially increases the chance that model-driven actions can read, modify, or execute beyond the intended scope, especially since the flag is presented as a normal one-shot usage example rather than an exceptional last-resort option.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill repeatedly recommends `--dangerously-skip-permissions` as a normal invocation pattern and provides no warning about the loss of safety controls. In this context, that flag can cause the downstream CLI to perform code-writing or shell-affecting actions without confirmation, amplifying the risk of destructive or unintended operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents cloud providers and API keys but does not warn that prompts, code, and possibly sensitive workspace data may be sent to external services. For an AI-assisted coding skill, this omission is meaningful because users may pass proprietary source code or secrets to third-party APIs without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly exposes a permission-bypass flag (`--dangerously-skip-permissions`) with no warning, guardrails, or explanation of the security consequences. In a coding-agent CLI, this can normalize unsafe usage and lead users or downstream automation to disable approval checks, increasing the chance of destructive file/system actions without user review.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation repeatedly instructs users to invoke the CLI with `--dangerously-skip-permissions`, which explicitly disables permission safeguards. In a coding agent skill, that materially increases the chance that generated or delegated actions run without user review, enabling unintended file modification, command execution, or broader system impact if the model behaves unsafely or is prompt-injected.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Showing `--dangerously-skip-permissions` in quickstart documentation without any warning normalizes insecure operation and encourages users to bypass safety controls by default. Because this skill is specifically for delegating coding tasks to an agentic CLI, omitting safety guidance makes misuse more likely and magnifies the blast radius of prompt injection, unintended file changes, or command execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal