ClawHub

Code Assistant

Security checks across malware telemetry and agentic risk

Overview

This code assistant has a legitimate purpose, but it can send workspace code to an external service and run local checks while its file-scope and security claims are not clear enough.

Install only if you are comfortable sending selected workspace code to Evolink and running local verification commands. Use it in a sandbox or non-confidential repository, confirm exactly which files will be read before use, keep secrets out of the workspace, and do not copy the included authentication example into production without replacing the secret handling and disabling debug mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill's instructions promise minimal, user-scoped file access, but later sections authorize reading workspace files for broader project context and dependencies. This mismatch can mislead users and downstream agents into granting broader access than expected, increasing the chance of unnecessary exposure of proprietary code or secrets to the external API.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill says it will ask for user consent before transmitting files, but the security section states workspace files are read and sent to api.evolink.ai as part of normal operation. This contradiction undermines meaningful consent and could result in sensitive source code or secrets being exfiltrated despite the user believing transmission is gated.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation says the example is production-ready and contains no placeholders, but the code hardcodes `app.config['SECRET_KEY'] = 'your-secret-key-here'`, which is plainly a placeholder secret. If copied into a real deployment, attackers who know or can guess the key could forge valid JWTs and bypass authentication, and the misleading documentation increases the chance of unsafe reuse.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The notes claim security best practices, but the sample runs Flask with `debug=True`. In non-local or misconfigured environments, Flask debug mode can expose sensitive error details and, in some cases, an interactive debugger that materially increases remote attack risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation phrases are broad enough to match many ordinary coding requests, making the skill likely to trigger in situations where the user did not intend to use an external, networked code-analysis tool. In this skill's context, overbroad activation is more dangerous because the skill can read workspace files, transmit code externally, and execute verification commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal