Back to skill

Security audit

Clihub Pub Full

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it gives an agent broad authority to discover, execute, and persist information about local CLI tools with weak boundaries.

Install only if you intentionally want the agent to inventory and use local command-line tools. Keep command approval enabled, avoid bulk discovery on sensitive or production machines, register trusted tools selectively, and review registry entries for untrusted binaries before letting the agent rely on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as a discovery gateway, but the documented commands include registering, removing, and otherwise mutating a persistent CLI registry. This expands the skill from passive lookup into state-changing behavior, which can be abused to poison future tool resolution or create hidden persistence beyond what a user would expect from 'discovery'.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Although the skill is described as discovery/lookup, it explicitly instructs the agent to execute arbitrary '<tool> --help' commands and later run constructed commands for that tool. Executing user-named binaries is a direct command-execution surface: a malicious or trojanized binary on PATH could run arbitrary code merely from lookup or help probing.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documented 'discover' behavior auto-scans the system for known binaries, which broadens the skill's reach from responding to a user request into enumerating the local environment. That can expose installed tools, development stack details, or security products, creating unnecessary information disclosure and attack-surface mapping.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README markets cli-hub as a universal gateway for 'every CLI tool' with 'zero config,' which strongly encourages unconstrained activation across arbitrary commands. In an agent setting, broad activation language increases the chance the skill will intercept unrelated requests and route them into powerful local tools, expanding the attack surface to any installed CLI including network, filesystem, container, and remote-access utilities.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The examples normalize ordinary natural-language requests like JSON inspection, container listing, and proxy switching without clarifying when the skill should or should not activate. That makes it more likely an agent will silently choose and execute local commands on behalf of the user, including tools with sensitive side effects, rather than treating command execution as a privileged action needing clear consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to 'scan my system and register all CLI tools you can find,' which implies enumerating the local environment and learning executable capabilities, then later executing discovered commands. In a security context, automatic discovery of installed tools materially increases capability escalation because the agent gains an index of sensitive binaries that may expose secrets, alter infrastructure, access remote systems, or manipulate files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The fallback behavior runs unknown tools with `--help` and version-style probes live, but the README does not clearly warn users that untrusted or unusual binaries will be executed during auto-registration. Although `--help` and `--version` are often read-only, malicious or poorly written executables can still perform side effects, make network calls, or trigger unsafe code paths when invoked.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README explicitly promotes a skill that can discover, register, and help execute arbitrary CLI tools across the system, but it does not warn users that this entails broad environment enumeration and potentially invoking local binaries. In an agent context, that increases the chance of unintended disclosure of installed tools, filesystem layout, and execution of side-effecting commands without informed user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The activation example tells the agent to scan the entire system and register all discovered CLI tools, normalizing broad host enumeration with no warning or approval step. In a skill whose purpose is universal CLI discovery, this context makes the behavior more dangerous because the agent is encouraged to inventory the environment and then use that inventory to drive later command execution.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is intentionally broad—'any mention of a CLI'—which makes accidental activation likely in benign conversations about tools. In this skill, over-triggering is risky because activation can lead to filesystem inspection, registry access, or shell execution paths that are disproportionate to the user's actual intent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The discovery workflow enumerates executables from PATH and optional user-supplied directories, then immediately runs them via registration logic to collect `--help`, `-h`, `help`, bare invocation, and version output. That means simply discovering tools can execute arbitrary attacker-controlled binaries placed earlier in PATH or dropped into a scanned directory, causing code execution and side effects under the user's privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.