ClawHub
Back to skill

Security audit

Json Tool

Security checks across malware telemetry and agentic risk

Overview

This is a local JSON utility that matches its advertised purpose, with the main caution that some operations overwrite the chosen input file unless an output path is provided.

Use this skill for local JSON work, but pass --output or work on a copy when formatting, minifying, or sorting important files because those modes can replace the original file by default. No evidence was found of network exfiltration, credential access, persistence, or unrelated system changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The format operation defaults to writing back to the original file when no output path is supplied, which can silently destroy the user's original formatting and any data if the write is interrupted or the user expected a read-only pretty-print action. In a file-manipulation skill, destructive defaults are risky because an agent may invoke the tool automatically and the user may not realize their source file will be modified in place.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The minify operation also overwrites the input file by default, creating a silent destructive action that can remove readability and potentially lose the original file if something fails during writing. Because this skill is intended for transformation tasks, users may reasonably expect output generation rather than implicit mutation of the source.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sort-keys mode rewrites the original file unless an output path is specified, again making a destructive file modification the default behavior. In an agent skill context, this is more dangerous because autonomous or semi-autonomous execution can alter user files without an obvious confirmation step, leading to data loss or unwanted repository diffs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.