ClawHub

Deepspeed Finetune

Security checks across malware telemetry and agentic risk

Overview

This fine-tuning skill is not clearly malicious, but it should be reviewed because it can give an agent broad SSH control and persistent key access to remote training machines.

Install only if you are comfortable giving the agent SSH-level control of the target training server. Use a non-root remote account, verify host keys, avoid no-passphrase keys unless you know how to revoke them, review every remote command before it runs, and run untrusted models or datasets in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly describes shell execution, file access, environment-variable use, and remote operations, yet it declares no permissions. This creates a transparency and consent problem: a caller or policy engine cannot accurately understand or constrain what the skill may do, increasing the chance of unintended command execution, file modification, or secret exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated description focuses on model fine-tuning, but the documented behavior extends into broad SSH-based remote administration, file transfer, tmux session management, and arbitrary remote command execution. That mismatch is dangerous because users may authorize a training skill without realizing it can act like a remote shell/orchestration tool, materially expanding the attack surface and the blast radius of misuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented `remote-exec` command provides a general-purpose shell execution primitive on the remote host, which exceeds the stated narrow purpose of remote model fine-tuning. In an agent setting, exposing a broad execution surface increases the chance of misuse, prompt-induced abuse, or accidental execution of destructive commands on the remote machine.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill exposes a general-purpose remote-exec feature that can run arbitrary shell commands on the connected server, which far exceeds the stated scope of remote fine-tuning management. In an agent/skill context this materially expands abuse potential, enabling arbitrary code execution on remote infrastructure using stored session information and available credentials.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Arbitrary remote shell execution is not justified by the skill's purpose of launching and monitoring fine-tuning jobs. Because the same code also manages authentication and session reuse, this turns the skill into a generic remote administration channel, increasing the blast radius if invoked by a user or downstream agent unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow says to connect to a remote machine and auto-detect hardware by running commands if the user provides an SSH address, but it does not prominently warn that this will execute commands on the remote host. Even benign commands like nvidia-smi, free, df, and nproc are still remote code execution from a trust and authorization perspective, and could violate user expectations or organizational controls.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guide instructs the agent to recommend generating an ed25519 key pair with no passphrase for fully automatic access, but does not present an adjacent warning about the security tradeoff. An unencrypted private key stored on disk can be abused by anyone who gains local access to the machine or steals the file, leading to persistent unauthorized remote access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide includes a generic remote command execution feature without a nearby warning that arbitrary commands run with the remote account's privileges and may alter, exfiltrate, or delete data. In this skill context, agents are expected to perform training tasks, so undocumented expansion into arbitrary command execution materially increases operational risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting guide includes package removal and reinstall commands such as uninstalling and force-reinstalling components without any warning about side effects. In documentation for an automation-capable agent skill, this is dangerous because an agent or user may execute these steps directly, causing environment breakage, downtime, or loss of cached artifacts.

Missing User Warnings

High
Confidence
98% confidence
Finding
Recommending `--trust_remote_code true` without a warning encourages execution of arbitrary model repository code from remote sources. In a fine-tuning skill that may fetch models from external hubs, this can lead to remote code execution on the host running training jobs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide includes `sudo apt-get install` commands that make system-level changes but does not warn about elevated privileges, host modification, or package trust. In agent-driven environments, this can unexpectedly alter the system, violate least-privilege expectations, or fail dangerously on production hosts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The remote-exec function executes arbitrary commands without any user-facing warning, confirmation, or indication that shell syntax and destructive actions are possible. In a skill setting, this makes misuse easier and obscures the true risk of remote code execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal