ClawHub

Debug Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI debugging tool that sends user-selected logs, error text, stack traces, or code snippets to EvoLink for analysis.

Install only if you are comfortable sending the specific logs, stack traces, error messages, or code files you choose to EvoLink. Review and redact secrets, tokens, customer data, private paths, and proprietary code before using the AI commands; the local cheatsheet and language commands do not require network access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and relies on capabilities including environment-variable access, shell execution, file reads, and temporary file writes, but it does not declare explicit permissions for them. This creates a transparency and policy-enforcement gap: users or hosting platforms may not realize the skill can read arbitrary user-supplied files and transmit their contents to a remote API, increasing the chance of unintended data exposure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is explicitly designed to transmit user-supplied error logs, stack traces, and source code to a third-party API at api.evolink.ai for analysis. That creates a real data-exfiltration/privacy risk when users pass sensitive logs or proprietary code, especially because the skill metadata does not clearly disclose the external transmission behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to send error logs, stack traces, and code-related debugging context to a third-party AI service, but it does not warn that these inputs may contain secrets, personal data, internal paths, proprietary code, or production details. This creates a real privacy and data-governance risk because users may unknowingly exfiltrate sensitive information during normal use of the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The AI commands send log contents, stack traces, source code, and user error messages to an external service without an explicit runtime warning or consent gate. In a debugging context, these inputs often contain secrets, internal paths, tokens, customer data, or proprietary code, so undisclosed transmission materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The AI subcommands read local files and error messages, truncate them, and send their contents to EvoLink for analysis, but the script does not provide an explicit privacy warning or require affirmative consent at the point of transmission. In a debugging context, logs, stack traces, and source files commonly contain secrets, tokens, internal URLs, customer data, or proprietary code, so this creates a real data-exposure risk even if the feature is intentional.

External Transmission

Medium
Category
Data Exfiltration
Content
" "$native_prompt" "$native_content" "$native_payload" "$model"

  local response
  response=$(curl -s -X POST "$EVOLINK_API" \
    -H "Authorization: Bearer $api_key" \
    -H "Content-Type: application/json" \
    -d "@$tmp_payload")
Confidence
94% confidence
Finding
curl -s -X POST "$EVOLINK_API" \ -H "Authorization: Bearer $api_key" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
#   suggest <file> --error <message>   — AI suggest fixes for code with error

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
EVOLINK_API="https://api.evolink.ai/v1/messages"

# --- Helpers ---
err() { echo "Error: $*" >&2; exit 1; }
Confidence
90% confidence
Finding
https://api.evolink.ai/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal