Back to skill

Security audit

Clawhub Skill Search

Security checks across malware telemetry and agentic risk

Overview

This is mostly a skill-search guide, but it includes exposed credentials and publishing/upload instructions that do not fit that purpose.

Review before installing. Do not reuse any included token or app secret; rotate them if they are real. Treat this package as a broad recommendation guide only, and avoid running any publish, upload, or account-linked commands unless the credentials, destination, and user confirmation are explicit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill is described as a marketplace search/discovery guide, but the examples immediately proceed to executing other skills and operational commands. This creates capability confusion and can cause an agent or user to treat a low-risk discovery skill as an execution-capable orchestrator, expanding the effective trust boundary without clear authorization.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented behavior goes far beyond skill search into end-to-end execution of research, analysis, writing, parsing, and publishing workflows. In the context of a search skill, this is dangerous because it encourages privilege creep and may let a broadly-invoked routing skill trigger higher-risk actions users did not explicitly authorize under the expected skill scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The WeChat publishing scenario introduces content publication and account-linked actions that are unrelated to a marketplace skill-search function. This materially increases risk because publishing can affect external systems, expose private content, and misuse connected accounts, yet the skill framing does not signal that level of operational sensitivity.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document exposes a live Clawhub token, its config file path, and explicitly instructs readers to use that credential for publishing. This is unrelated to a skill whose purpose is marketplace discovery/search, so the presence of credential discovery and reuse instructions materially expands capability into account access and remote publication.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The PowerShell example provides a ready-made authenticated upload workflow to publish content to Clawhub via API, including reading a local ZIP and sending it with bearer auth. For a skill advertised only as helping users find and select skills, this is out-of-scope functionality that could be abused for unauthorized or accidental publication if the token is valid.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The document includes very broad natural-language trigger examples such as generic requests for searching papers, analyzing data, or polishing an abstract. In a skill-discovery skill, overly broad triggers can cause the skill to activate on ordinary user tasks instead of only when the user is asking for skill selection, which may misroute requests, suppress more appropriate skills, or create confusing behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The implicit trigger phrases are broad, generic user requests that overlap with normal conversation and many unrelated skills. This can cause unintended activation of the marketplace-search skill, leading to misrouting, user confusion, and possible suppression of more appropriate skills in the agent workflow.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Saying the skill will 'automatically trigger' from direct need descriptions without defining boundaries makes routing behavior ambiguous. In a multi-skill environment, this ambiguity can cause the skill to intercept ordinary task requests that should instead invoke task-specific skills, degrading reliability and increasing the chance of incorrect tool selection.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases around statistical-analysis are broad everyday requests such as asking what statistical method to use or to interpret regression results. In an auto-triggering agent ecosystem, vague patterns can cause unintended skill activation on ordinary conversation or insufficiently scoped data-analysis requests, which may lead to unsafe processing of sensitive files or misleading automated actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The publication-related trigger examples are ambiguous commands like publishing an article, creating a draft, or rendering Markdown, without clear guardrails on destination, authorization, or confirmation. In a marketplace skill that helps users discover and invoke skills, this increases the chance of accidental activation of content publication workflows, potentially causing unintended external posting or disclosure of sensitive content.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description includes a broad trigger for 'any request about navigating the 238+ skill ecosystem,' which can cause this skill to activate for many generic marketplace or capability-discovery prompts. Over-broad routing increases the chance of inappropriate skill selection, prompt hijacking of unrelated conversations, and reduced user control over which specialized skill is invoked.

Vague Triggers

High
Confidence
95% confidence
Finding
The implicit trigger section maps very common requests like 'analyze this data' or 'polish this text' directly to downstream skills without requiring user confirmation or stronger disambiguation. This creates an unsafe overreach condition where ordinary task requests can be intercepted by this meta-skill, causing unintended delegation, confused routing, or invocation of higher-capability tools the user did not ask for.

Missing User Warnings

High
Confidence
100% confidence
Finding
The documentation includes live-looking credential values in setup instructions and presents them as environment variables to export. Exposing secrets in a skill file is highly dangerous because anyone with access to the file can reuse the credentials to access or abuse the associated WeChat account and downstream publishing capabilities.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list maps common writing-related terms such as "润色", "改写", and "摘要" directly to a skill without any narrowing conditions. Broad keywords increase the chance of unintended activation in unrelated conversations, which can cause the wrong skill to run, confuse users, or route potentially sensitive content into an unexpected workflow.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Generic visualization triggers like "画图" and "可视化" are broad enough to match many ordinary requests that may not intend to use this marketplace skill. In a skill-search context, this can lead to accidental activation and inappropriate recommendations or execution paths, especially when the user is discussing charts casually rather than asking to discover a specific skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference includes commands for publishing to WeChat and creating drafts without any warning that these actions may post externally, create persistent content, or use connected accounts. Showing operational publishing commands in a quick reference can normalize unsafe execution and may cause accidental external publication or disclosure of private data if copied blindly.

Missing User Warnings

High
Confidence
99% confidence
Finding
The report publicly displays a full authentication token and the local configuration path without any masking or warning, creating immediate credential leakage and privacy exposure. Anyone with access to the file can reuse the token for actions against the Clawhub account until it is revoked.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API upload instructions direct users to send a local ZIP file with an Authorization header, but they do not adequately warn that the script transmits local content and live credentials to a remote endpoint. This increases the chance of accidental data disclosure, misuse, or unsafe copy-paste execution.

Ssd 3

High
Confidence
100% confidence
Finding
Hardcoded credential values are embedded directly in natural-language setup instructions, which constitutes direct secret disclosure. In this skill context the danger is heightened because the same section also guides publishing actions, making the secrets immediately actionable for unauthorized account use.

Ssd 3

High
Confidence
99% confidence
Finding
The report instructs readers to reveal and reuse a live token in plaintext, directly encouraging insecure credential handling and propagation. Because the skill context is only discovery/recommendation, the secret exposure is especially unjustified and therefore more suspicious and dangerous.

Ssd 3

High
Confidence
99% confidence
Finding
The script hardcodes the bearer token directly in the example, which promotes copying, sharing, logging, and long-term exposure of a live credential. Hardcoded secrets are easily exfiltrated from repos, tickets, screenshots, and terminal history, enabling unauthorized publishing or other account actions.

Ssd 3

Medium
Confidence
90% confidence
Finding
Repeatedly confirming token availability and restating the credential location increases the discoverability of sensitive information and normalizes unsafe handling. Even without reprinting the token itself in every section, this repeated surfacing makes secret exposure more likely through screenshots, copied excerpts, or operational misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.