ClawHub

Squid

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Squid pipeline authoring guide, but its examples include high-impact command execution, repository mutation, and publishing patterns that need careful human review before use.

Install only if you intend to author or run Squid pipelines that can execute local commands and spawn agents. Before running included or generated pipelines, use a sandbox or clean branch, inspect every run command, restrict repo and output paths, avoid untrusted npm scripts, and review git diffs before approving commits, deployments, or pull requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The pipeline culminates in creating a git branch, committing all changes, and opening a GitHub pull request against a user-supplied repository. That goes beyond passive workflow authoring/debugging and performs real repository-affecting actions, which is dangerous because prior spawned agents can modify the repo and this step publishes those changes externally with little friction once approval is granted.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The pipeline executes shell commands in a user-controlled repository path and later invokes external tooling such as npm test and gh. Even if intended for normal development, shell execution against arbitrary repos can trigger untrusted project scripts and side effects, making this more dangerous than simple workflow generation.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger description is broad enough to activate on generic mentions of pipelines, workflows, agents, or YAML, which can cause this powerful skill to be invoked outside its intended scope. Over-broad activation increases the chance of unintended instruction takeover, unsafe command suggestions, or misapplication of repository-specific workflow guidance in unrelated contexts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Multiple spawned agents are instructed to implement changes directly in the repository, and the pipeline later stages all changes, commits them, and opens a PR without any prominent user-facing warning that repository contents will be modified and published. In a multi-agent pipeline, this compounds risk because several agents can concurrently change code before the final git add -A captures everything, including unintended or malicious modifications.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The pipeline runs npm test in the user-supplied repository but does not clearly disclose this command execution to the user. Running repository-defined test commands is risky because package scripts and test harnesses can execute arbitrary code, access local files, or use networked credentials present in the environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This pipeline performs filesystem writes and shell execution using user-influenced values such as args.outputDir and scene narration, but the manifest/example provides no explicit warning about those side effects or safety constraints. More importantly, the run steps interpolate untrusted data into shell commands, creating command-injection and unsafe file-write risk in addition to undisclosed execution behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal