ClawHub

Skill Validator

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent validator, but it can automatically run scripts from other skills without sandboxing or clear per-run consent.

Review before installing. Use it only on skills you trust or inside a disposable sandbox, and manually inspect target scripts first. Do not run it against unknown newly installed skills in your normal workspace until execution is gated by confirmation and isolation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The validator directly executes shell scripts from the target skill during both the 'empty parameter' test and feature-specific tests. Because skills are treated as untrusted input, this turns a validation tool into a code-execution primitive that can run arbitrary attacker-controlled commands under the validator's privileges, which is especially dangerous given the hardcoded /root workspace path.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script reads environment variables whose names are supplied by the target skill manifest, letting an untrusted skill probe which sensitive variables are set in the host environment. Even though values are not printed, this still leaks presence/absence of secrets and expands the information an attacker-controlled skill can learn during validation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are overly broad for a utility skill and can match ordinary user conversation about checking or testing skills, causing accidental invocation. In this context, accidental activation is more concerning because the skill is designed to inspect other skills and may run validation workflows or scripts against unintended targets, increasing the chance of unnecessary file access or disruptive actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The validator executes the first discovered shell script automatically during anomaly testing without any explicit warning, prompt, or consent flow. This creates hidden side effects and makes it easy for a malicious skill to achieve command execution when the user expects a safe validation pass, increasing the likelihood of accidental exploitation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feature test for diagnose skills runs diagnose.sh and captures output without clearly disclosing that untrusted code is being executed. In this skill context, a 'validator' is expected to inspect and test safely, so silently executing diagnose.sh materially increases risk because the script may perform destructive actions, exfiltrate data, or modify the environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal