ClawHub

Ping Model

Security checks across malware telemetry and agentic risk

Overview

This skill presents simulated model latency numbers as real measurements, so users could be misled by its ping and comparison results.

Install only if you treat this as a demo formatter, not a real benchmark. Do not use its results for model selection, routing, incident diagnosis, or performance claims until it either measures actual model calls and implements real switching or clearly labels all output as simulated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill claims to measure real model latency and support temporary model switching, but the described behavior indicates it instead simulates timing and infers model state indirectly rather than actually exercising the requested model. This is dangerous because it can mislead users and downstream automation into trusting fabricated performance data, and any subprocess-based session inspection increases attack surface and can expose or misuse local execution context if implemented unsafely.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to measure real model latency and support temporary model switching, but the implementation only sleeps for hardcoded/random delays and reports them as if they were actual ping results. This is a deceptive integrity issue: users may make operational decisions based on fabricated performance data, especially in comparison mode where rankings are entirely synthetic.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline comment acknowledges the timing is only simulated, but the executable output still presents the result as a normal "PING" with timestamps and latency, without warning the user that the numbers are fake. That mismatch increases the risk of user deception because the caveat exists only in source code, not in runtime behavior or user-facing documentation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal