ClawHub

DeepMiner Skills

Security checks across malware telemetry and agentic risk

Overview

The skill fits its DeepMiner CLI purpose, but it needs review because it handles access keys and can forward full DeepMiner results between sessions with weak destination controls.

Install only if you trust the DeepMiner CLI package, endpoint, and publisher. Use a least-privilege AccessKey, avoid placing real secrets in shell history or shared transcripts, verify the destination session before using polling notification scripts, and avoid sending highly sensitive DM prompts or results through shared sessions or persistent status files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill gives contradictory instructions for how a polling subagent should notify completion: one section requires direct use of a message tool, while a later section forbids message/sessions_send and requires plain output for relay. In an agent environment, this can cause silent failures, lost notifications, or incorrect routing of DM outputs, especially when handling long-running tasks that users may need to stop or answer.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The handling guidance for async_tag_task directly conflicts: one part says to continue polling, while another says to stop immediately and wait for the user to confirm in the GUI before restarting polling. This inconsistency can break task lifecycle control, cause users to miss required confirmations, or leave jobs running without proper supervision.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script claims notifications go directly to the user, but if the preferred tool is unavailable it falls back to `sessions_send --sessionKey main`, which routes content to a hardcoded main session instead. Because the notification content is derived from DM task results, this can expose task outputs, prompts, file links, or human questions to the wrong recipient or agent context, creating a confidentiality and integrity risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to initialize dm-cli with an AccessKey on the command line without any warning about secret sensitivity or safer handling. Command-line secrets can leak into shell history, process listings, logs, screenshots, and shared transcripts, creating a realistic credential exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script forwards the full DM poll result to another session via `sessions_send`, including whatever data DM returns, without filtering, minimization, or any trust boundary validation on the destination session key. In this skill context, DM results may contain sensitive prompts, task outputs, human-facing questions, or internal metadata, so relaying raw JSON across sessions can expose confidential data to the wrong recipient if the parent session is mis-set, intercepted, logged, or less trusted than the originating context.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal