ClawHub

clawsec-nanoclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real NanoClaw security tool, but it gives agents host-side authority to restore and approve protected files by default, so it should be reviewed before installation.

Install only if you intentionally want NanoClaw agents to manage protected host files, not just scan advisories. Before enabling it, restrict which agents or groups can call integrity and approval tools, run checks with autoRestore=false during testing, review and back up baselines, and preserve audit/quarantine data during incident response.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation advertises network access, feed retrieval, package verification, and likely environment usage, but no explicit permission model is declared. In an agent ecosystem, undeclared capabilities reduce transparency and can cause operators to grant or inherit broader access than intended, especially for a security-themed skill that users may trust more readily.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is advisory checking, but the documented tool surface includes integrity monitoring, baseline creation, auto-restore, quarantine, audit-log management, and approval of file changes. This is a high-risk scope expansion because a user may install a 'security checker' while actually granting a tool authority to inspect, modify, restore, and bless host files, which materially changes the trust and attack model.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation says agents can support dual signatures during key rotation, but elsewhere states the verifier always uses a single pinned public key and `.sig` files, with no runtime key override. This inconsistency can cause operators to believe rotated packages will verify when they will not, leading to failed updates, unsafe manual bypasses, or prolonged reliance on a compromised key during a key-rotation event.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document mixes incompatible claims about Ed25519 signing: it shows `openssl dgst -sha512 -sign` usage, then later describes detached signatures as base64-encoded raw Ed25519 signatures and a verification flow that hashes the package with SHA-512 before Ed25519 verification. For Ed25519, OpenSSL's signing/verification semantics differ from generic digest-based workflows, so this confusion can produce signatures that cannot be verified as documented or lead developers to implement incorrect custom verification logic.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The handler explicitly allows any IPC caller group to trigger `advisoryCacheManager.refresh()`, with no authorization check beyond a comment claiming rate limiting. This broadens host-side control beyond a narrow read-only advisory lookup and can be abused for unnecessary outbound activity, cache churn, or service degradation by less-trusted agent groups.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The IPC surface exposes host-side signature verification for arbitrary `packagePath` and `signaturePath` supplied by the caller, which is a privileged capability not clearly bounded to the stated advisory-checking purpose. Without authorization and path validation, this can become a confused-deputy primitive for probing host filesystem paths or invoking sensitive verification logic on attacker-chosen files.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The integrity check tool is not purely observational: its documented behavior and parameters allow it to restore files automatically. For a skill whose stated role is vulnerability/advisory checking, adding state-changing remediation expands privilege and creates a mismatch where a security-check action can unexpectedly modify protected files.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The approval tool accepts an arbitrary absolute path and marks the change as trusted baseline state, which can legitimize tampering rather than detect it. In a vulnerability-checking skill, this is especially dangerous because it gives the skill a mechanism to silence future integrity alerts for attacker-modified files.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatic restoration is a write-capable action that can alter files as part of a nominal integrity check. In this skill context, that capability is unjustified and risky because an agent or caller may trigger modifications to host-monitored files without a separate, clearly intentional remediation step.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest description frames the skill as advisory monitoring and signature verification, but the SBOM and exposed MCP tools show additional integrity monitoring, change approval, and audit-verification capabilities. This capability mismatch can mislead reviewers and operators into granting installation or trust under a narrower security model than the skill actually implements, increasing the chance of over-privileged deployment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is vulnerability checking and advisory verification, yet it exposes change-approval and audit-related MCP tools that imply a governance or authorization role beyond passive analysis. In a security tool context, such undocumented approval functionality is more dangerous because users may trust the skill as a scanner while it also influences protected changes, creating a path for unauthorized approvals or policy bypass if integrated incautiously.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The uninstallation section includes destructive file-deletion commands but does not explicitly warn the operator that local skill files and cached advisory data will be permanently removed. While the commands are scoped to specific paths rather than arbitrary user input, omission of a warning increases the chance of accidental data loss or operator error during manual execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool description says checks can automatically restore critical files, and the code defaults autoRestore to true unless explicitly disabled. That creates a surprising side effect where users invoking a security check may unknowingly trigger file modifications, increasing the chance of unsafe or unintended changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The approval workflow updates what the system considers trusted without a strong execution-time warning that future integrity checks will now accept the modified file. This can mislead operators into normalizing unauthorized changes and weaken the integrity monitoring model.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal