ClawHub

site analyzing tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real site-analysis tool, but it automatically probes and stores local network details and shares targets with third-party services without enough user control.

Review before installing, especially on corporate, sensitive, or internal networks. Use it only for domains and IPs you are authorized to test, assume public targets and route data may be sent to third-party DNS/IP-info services, and inspect or delete ~/.site-analyzer-env.json after use. The publisher should make environment probing explicit, add a no-remote-lookups mode, prefer HTTPS-only services, and safely serialize probe data instead of embedding network-derived strings into code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (18)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
env_file = os.path.expanduser("~/.site-analyzer-env.json")
    if not os.path.exists(env_file):
        print("[setup] First run: probing network environment...", file=sys.stderr)
        os.system(f"bash {os.path.join(SCRIPT_DIR, '00_probe_env.sh')}")
    try:
        with open(env_file) as f:
            return json.load(f)
Confidence
90% confidence
Finding
os.system(f"bash {os.path.join(SCRIPT_DIR, '00_probe_env.sh')}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly invokes shell commands and performs network operations, yet no permissions are declared. That creates a transparency and policy-enforcement gap: callers may not realize the skill can initiate outbound requests, run local probes, and write local state. In this context, the risk is amplified because the skill also auto-probes the local environment on first use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The declared description understates several behaviors: WHOIS lookups, calls to third-party IP intelligence services, and DoH fallback to external DNS providers. This mismatch matters because users may provide sensitive internal targets or assume analysis is self-contained, while the skill actually discloses query data and local egress metadata to third parties.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This skill automatically executes a local shell script during initialization, which creates implicit code execution as a side effect of merely using the tool. In a security-sensitive agent context, hidden first-run execution is dangerous because users may not expect arbitrary local scripts to run, and compromise of the skill files or runtime environment would turn this into an execution primitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn that first use will automatically probe the local network environment and persist the results to a file in the user's home directory. Automatic environment discovery can expose the host's public IP, ISP, and tooling footprint, and persistence introduces additional privacy and operational risk if the file is later accessed or reused unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically contacts third-party services (api.ipify.org and ip-api.com) to discover the host's public IP and geolocation/ISP details, which discloses network-identifying metadata outside the local environment. In the context of an agent skill that runs on first use, this creates a real privacy and environment-leakage risk because users may not expect their host/network details to be transmitted externally just to enable the skill.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The script persists collected environment data, including public IP, country, city, ISP, ASN, DNS servers, and tool availability, into a hidden file in the user's home directory. While not inherently malicious, storing this fingerprint without an explicit warning or retention controls can expose sensitive operational context to other local processes or future unintended disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits user-supplied IP addresses to third-party services (ip-api.com and ipinfo.io), which creates a privacy and operational disclosure risk. In this skill’s context, users may analyze internal, customer, or sensitive infrastructure addresses, and even though private IPs are filtered, public target IPs can still reveal investigation targets or network assets to external providers without explicit consent or warning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
On first use, the skill probes the host environment automatically and without affirmative consent. Even if intended for baseline measurements, this can disclose local network characteristics, trigger unexpected outbound activity, and violate least surprise/privacy expectations in agent deployments where tools should minimize side effects.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When UDP queries return empty, the code automatically falls back to third-party DoH providers and transmits the queried domain to external services without explicit user consent or a clear interface warning. In a site-analysis skill, queried domains may be sensitive internal, customer, or investigative targets, so this creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits user-supplied public IP addresses to the third-party service ip-api.com over the network without any explicit user warning, consent prompt, or offline-only alternative. In this skill context, the behavior is functionally expected for IP geolocation, but it still creates a real privacy and data-disclosure risk because queried targets may be sensitive internal investigation artifacts and the ip-api request is made over plain HTTP, further increasing exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends queried IP addresses to ipinfo.io without notifying the user that their inputs are being disclosed to an external service. In a site-analysis skill this is somewhat contextually expected, but still dangerous because analysts may unknowingly leak investigation targets, customer infrastructure, or other sensitive indicators to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly documents sending user-supplied IP addresses to ip-api.com and ipinfo.io but does not warn that these inputs are disclosed to third-party services. This creates a real privacy and operational-security risk because queried IPs may be sensitive infrastructure indicators, internal investigation targets, or customer assets, and disclosure happens automatically as part of normal use.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The skill performs outbound ICMP and TCP probing against user-supplied targets and defaults to probing ports 80 and 443, but there is no in-file warning, consent step, or clear disclosure that network traffic will be generated. In an agent context, this can surprise users, trigger scans from the host environment, and expose the operator's network identity or cause policy/compliance issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends every non-private input IP to external services (ip-api.com over plain HTTP and ipinfo.io over HTTPS) without an explicit consent prompt, privacy notice, or option to disable third-party lookups. In a site-analysis skill, operators may supply sensitive target infrastructure IPs, so this behavior can leak reconnaissance data to outside parties and, for ip-api.com, expose requests to interception or tampering in transit.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code automatically submits discovered public hop IPs to the IP attribution module without an explicit user warning or consent flow. In a site-analysis skill, this can leak network reconnaissance results, internal operational targets, and user-supplied destinations to external services used by 02_ip_info.py, creating a privacy and data-governance risk even if no classic exploit is present.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to run traceroute and perform per-hop IP attribution lookups, but it does not warn that this may actively probe a target network and may disclose target, route, or user-environment metadata to external lookup services. In a security-sensitive or privacy-sensitive context, that omission can lead users to trigger network activity or third-party data exposure without informed consent.

Unvalidated Output Injection

High
Category
Output Handling
Content
def run_whois(target):
    try:
        result = subprocess.run(
            ["whois", target],
            capture_output=True, text=True, timeout=15
        )
Confidence
84% confidence
Finding
subprocess.run( ["whois", target], capture_output

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal