ClawHub

Env Tool

Security checks across malware telemetry and agentic risk

Overview

This skill transparently prints environment variables, which is useful for debugging but can expose secrets if used carelessly.

Install only if you need an environment-variable inspection helper. Avoid running the full environment dump in shells that may contain API keys, tokens, passwords, cloud credentials, or internal endpoints; prefer querying specific non-sensitive variables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly operates on environment variables, which can include secrets such as API keys, tokens, and credentials, yet no permissions are declared. Missing explicit permission signaling weakens review and runtime controls, making it easier for a skill to access or expose sensitive process state without adequate scrutiny.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages listing all environment variables and printing specific values without any warning about secret exposure. In many environments, variables contain credentials, tokens, endpoints, and internal configuration, so displaying them in terminal output, logs, or transcripts can directly leak sensitive data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script prints either a requested environment variable or the entire process environment directly to stdout, which can expose secrets such as API keys, tokens, database credentials, and internal configuration. In the context of an agent skill meant to inspect or modify runtime environment state, this behavior is especially dangerous because environment variables commonly contain sensitive data and stdout may be logged, surfaced to users, or captured by other systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal