ClawHub

Swcr Register

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated purpose, but it can generate official registration text from generic assumptions, so users should review it carefully before relying on it.

Install only if you are comfortable letting the agent read the selected project source and create registration documents. Before uploading or submitting anything, manually verify the generated source excerpts, ownership details, software functions, technical features, dates, and rights-holder information; replace any generic generated descriptions with accurate user-provided text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly instructs reading from local directories or cloning repositories and generating output files, which implies file read/write capability, but no permissions are declared. This creates a transparency and policy gap: an agent may access local source code and write documents without users or the platform having an explicit permission boundary, increasing the risk of overbroad data access or accidental handling of sensitive code.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script fabricates fallback '主要功能' and '技术特点' text when README-derived content is missing or too short, instead of clearly marking the information as unknown or requiring user confirmation. In a software copyright registration workflow, this can cause users to submit inaccurate claims about capabilities or architecture, creating compliance, misrepresentation, and legal risk even though it is not a code-execution issue.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal