ClawHub

Smart Model Switcher V5

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a model auto-switcher, but its documented authority is broader and less clearly controlled than users would expect.

Install only if you are comfortable with automatic model changes. Review the README and SKILL.md for cross-session sessionKey usage, disable or remove any ability to target other sessions, and avoid using it with sensitive images or prompts unless provider routing and consent behavior are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly documents using `session_status(sessionKey: ...)` to switch models for other sessions, which exceeds a local auto-switcher's stated scope and enables cross-session state manipulation. If an agent follows this guidance, it could alter unrelated conversations or channels, causing integrity issues, user confusion, and policy bypass across sessions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document says model switching only affects the current session, then immediately provides instructions for switching other sessions by supplying a `sessionKey`. This contradiction is dangerous because it can mislead reviewers and users while still operationalizing broader control over other sessions, increasing the chance of unauthorized or unexpected state changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README defines model-switching triggers using vague categories such as 'code keywords', 'reasoning keywords', and 'pure text task' without documenting boundaries, precedence, or exclusions. In a skill that automatically routes user content to different external providers and capabilities, this ambiguity can cause unintended model selection, over-sharing of sensitive inputs, and policy bypass through prompt phrasing or mixed-content messages.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README advertises automatic image detection and switching to visual models but does not disclose that uploaded images and related content may be transmitted to third-party model providers for processing. This creates a real privacy and data-handling risk because users may share screenshots, documents, or photos containing secrets or personal data without understanding that external services will receive them.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script can POST to a local session-management API and change the active model without an explicit confirmation or warning at the moment of execution. In an agent environment, silent model switching can alter downstream behavior, cost, data-handling characteristics, or safety posture in ways the user did not knowingly approve.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal