ClawHub

OmniSkill 通用技能调度器

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad dispatcher that asks agents to route nearly all work through it and can install, register, load, and execute plugins with insufficient scoping.

Install only if you explicitly want a central plugin dispatcher with broad local authority. Review any remote source before running the README commands, avoid automatic agent execution of the onboarding script, keep the socket gateway bound to localhost, and do not register untrusted plugin paths or metadata because registered entries can persist and influence future code loading and SKILL.md prompt content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (29)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
try:
            # 引入模块
            module = importlib.import_module(module_path)
            skill_class = getattr(module, class_name)
            skill_instance = skill_class() # 实例化技能

            # 存入缓存
Confidence
91% confidence
Finding
skill_class = getattr(module, class_name)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if platform.system() != 'Windows':
            kwargs['preexec_fn'] = preexec_fn
            
        process = subprocess.Popen(
            command,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
Confidence
94% confidence
Finding
process = subprocess.Popen( command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, **kwargs )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises powerful capabilities including shell, file read/write, network, and environment access without any declared permission boundaries or user-visible constraints. That creates a significant trust gap: a broadly triggered orchestration skill could invoke sensitive operations implicitly, making review, consent, and policy enforcement much harder.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description presents the skill as a generic dispatcher that must be invoked for nearly all tasks, but the referenced behavior includes gateway serving, packaging, registry rewriting, rollback management, and sandboxed subprocess execution. This mismatch obscures the real attack surface and can mislead reviewers or users into granting broad trust to what is effectively a privileged control plane.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The README explicitly instructs an AI agent to clone a repository, install dependencies, and execute registration commands in the local environment. For a skill that is supposed to act as a dispatcher, these are environment-modifying supply-chain actions that can lead to arbitrary code execution through unreviewed packages, install scripts, or later-invoked tooling.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation claims execution occurs in an isolated sandbox, but elsewhere describes local deployment, subprocess invocation, and cross-language execution without showing any concrete sandbox boundary or enforcement mechanism. This can mislead operators and agents into treating risky code execution as safe, reducing caution around plugin onboarding and execution.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The README asserts that sub-skills execute securely in an isolated sandbox, but the same document describes dependency installation, packaging of arbitrary external tools, and cross-language execution via subprocess/IPC without showing any concrete sandbox boundaries or enforcement. This can mislead an agent or operator into trusting unsafe execution paths and lowers scrutiny around code that may run with local system access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The task list documents deleting existing skill directories and repointing all hooks to a single omni-skill, which materially expands the blast radius from a normal skill implementation to ecosystem-wide interception and control. In this context, a universal dispatcher that becomes mandatory for all tasks and automation flows can be abused as a choke point for privilege escalation, hidden policy bypasses, or suppression of specialized safeguards in prior skills.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI does more than maintain a local SQLite registry: it also rewrites SKILL.md, which is part of the LLM's prompt/control surface. Because skill names and descriptions come from registered metadata, an attacker who can register a skill can inject or alter instructions shown to the model, creating a prompt-injection and trust-boundary violation not implied by the tool's stated purpose.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation claims the tool uses SQLite as the registry store, but the implementation also modifies SKILL.md. This mismatch hides a security-relevant side effect: operators may grant access assuming only local database updates, while the tool actually changes model-consumed instructions, increasing the chance of unsafe deployment and missed review.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The dispatcher rebuilds executable routing state from persistent database metadata and then re-registers skills without validating that the stored module/class targets are trusted. If an attacker can modify the SQLite database or influence stored metadata through another code path, they can persist unauthorized plugin behavior across restarts and cause execution of attacker-controlled code through normal dispatch operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code constructs module and class targets from database metadata and passes them to the lazy loader for dynamic import and execution. That creates a direct path from tamperable persistent data to code loading, which is effectively arbitrary code execution if an attacker can alter the metadata or plant/import a malicious module in the Python path.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The builder modifies the packaged artifact by unconditionally injecting new runtime-specific gateway files, which changes behavior beyond straightforward packaging. In the context of a central orchestration skill that must be invoked broadly, silent code injection increases supply-chain and integrity risk because downstream users may execute files they did not author or review.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The docstring claims a dynamic sandbox with resource limits, but the implementation only applies limited process rlimits on non-Windows systems and otherwise runs commands directly on the host. This mismatch is security-relevant because developers or users may trust the function as safe containment when it does not provide true sandbox isolation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This file exposes a reusable primitive for arbitrary local command execution that exceeds what a generic orchestration skill should need unless tightly constrained elsewhere. In the context of an omni-skill that must be invoked broadly for many user tasks and automation triggers, this becomes more dangerous because the execution surface is large and may be reachable from many workflows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README tells AI agents to perform clone, package installation, and registration steps automatically, but does not warn that these actions modify the filesystem, install software, and alter local runtime state. In an agent context, omitting explicit safety gates increases the chance that an agent will make privileged system changes without informed user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README directly targets AI agents and instructs them to autonomously clone a repository, install dependencies, and run registration commands in their workspace. This is dangerous because it is a prompt-injection style supply-chain action path that attempts to convert documentation into executable instructions causing unreviewed local system changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README tells agents to package and register external tools from arbitrary paths, effectively normalizing ingestion of untrusted code into the skill system. In this skill context, which is a universal dispatcher meant to be invoked broadly, that behavior expands attack surface significantly and can lead to persistence, execution of hostile plugins, or exposure of local files.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill claims it must be used immediately for essentially any specific task or automated workflow, creating an overbroad trigger condition. In context, this is especially dangerous because the skill is an execution hub with broad capabilities, so accidental or unnecessary invocation expands exposure to privileged operations across routine interactions.

Vague Triggers

High
Confidence
97% confidence
Finding
The usage section mandates first-action invocation for a wide range of common requests and lifecycle events, which effectively attempts to supersede normal task handling. Such broad routing instructions can hijack agent behavior, cause unintended execution paths, and funnel benign requests through a privileged dispatcher that may access tools, files, or subprocesses unnecessarily.

Ssd 1

High
Confidence
98% confidence
Finding
This README contains explicit AI-agent-directed instructions to deploy the project into the agent's own workspace and execute installation and initialization commands. Because the skill is described as a universal dispatcher that must be called for many tasks, this creates a highly dangerous self-propagating prompt-injection vector that can establish code execution and long-lived integration without meaningful review.

Ssd 4

Medium
Confidence
89% confidence
Finding
The spec explicitly states that prompts/instructions from legacy skills, including a suspiciously named 'ai-trace-evader', are extracted and loaded as prompt context by plugins. In a centralized dispatcher skill that must be invoked for many user requests and automation hooks, this creates a strong prompt-inheritance and capability-amplification risk: unsafe or evasive instructions from legacy skills can be preserved, normalized, and automatically injected into unrelated executions.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.0.0
pyyaml>=6.0
pytest>=7.0.0
pytest-cov>=4.0.0
Confidence
90% confidence
Finding
pydantic>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.0.0
pyyaml>=6.0
pytest>=7.0.0
pytest-cov>=4.0.0
Confidence
96% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pydantic>=2.0.0
pyyaml>=6.0
pytest>=7.0.0
pytest-cov>=4.0.0
Confidence
83% confidence
Finding
pytest>=7.0.0

VirusTotal

No VirusTotal findings

View on VirusTotal