ClawHub

Choco

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Windows service repair tool, but it asks agents to make elevated persistent service changes and even update the skill itself without enough user-control safeguards.

Install only if you are comfortable with an agent assisting Windows Administrator-level Chocolatey and service-management work. Review every generated command before running it, verify the exact service and executable path, use a maintenance window for stop/remove/re-register operations, avoid storing Windows passwords in scripts, and do not allow the self-heal upgrade step unless you explicitly intend to modify the installed skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The 'Self-heal' section instructs the agent to modify the skill itself via '/skill-kit upgrade choco' after execution, creating a self-modification path unrelated to the immediate package/service task. Self-editing behavior weakens trust boundaries and can be abused to persist unsafe changes, expand scope, or overwrite reviewed instructions without explicit user approval.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document states that existing service settings must be preserved, but the example script simultaneously encourages changing `LocalSystem` to a user account for Syncthing-like services. That contradiction can cause operators to alter the service identity during migration, changing file ownership, ACL behavior, and service privileges in a way that may break security assumptions or availability.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The template includes `$objectPassword = "<USER_PASSWORD>"` and passes it to `sc.exe`, despite warning against hardcoding plaintext passwords. This normalizes insecure credential handling and risks password exposure through saved scripts, shell history, process inspection, backups, or source control.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation provides privileged commands using 'gsudo' to stop/start services, modify NSSM configuration, and run PowerShell scripts, but it does not require confirmation, backups, or validation before system changes. In an agent setting, normalized admin commands can lead to unintended service disruption or unsafe execution if applied to the wrong package, service, or script path.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The procedure performs destructive actions like stopping, removing, and re-registering a Windows service without a prominent disruption or rollback warning. An operator following it blindly could cause service outage, loss of startup configuration, or prolonged downtime if re-registration fails.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions require handling a Windows account password for service registration but do not provide a strong, upfront warning about credential exposure. In a privileged administrative workflow, encouraging direct password use can lead to credential leakage and compromise of the service account or user account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented procedure instructs operators to stop, reconfigure, and restart a Windows service with elevated privileges, but does not explicitly warn that this will interrupt the service and make persistent system-level changes. In an operational skill used during troubleshooting, omission of that warning can lead to unintended downtime or unsafe application to the wrong service, especially because the command is designed to run as Administrator.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal