ClawHub

Code Assistant

Security checks across malware telemetry and agentic risk

Overview

This code-assistant skill is transparent about sending workspace code to an external API, but its scope wording and production-ready security example need review before use.

Install only if you are comfortable sending selected workspace files and code snippets to Evolink and running local verification commands. Use it in a sandbox or non-sensitive repository, review commands before execution, and do not reuse the JWT API example in production without replacing the secret, disabling debug mode, and hardening authentication and storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill claims it will only read files explicitly mentioned by the user or directly required for the task, but later states it reads workspace files broadly for project context. This inconsistency can mislead users about the actual data exposure boundary and may cause unintended transmission of unrelated source files or sensitive project content.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The workflow says the agent should ask for consent before reading and transmitting files, but the security section describes workspace file transmission to the external API as part of normal operation. This creates a deceptive consent model where users may believe transmission is conditional when it is effectively built-in, increasing the risk of unintentional exfiltration of proprietary code or secrets.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation explicitly claims the example is production-ready and contains no placeholders, but the code hardcodes `app.config['SECRET_KEY'] = 'your-secret-key-here'`, which is an obvious placeholder and unsafe for any real deployment. In skill context this is more dangerous because users are encouraged to run the example immediately and may deploy it with the default secret, allowing JWT forgery and full authentication bypass if the secret is known or guessed.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The `token_required` decorator uses a bare `except:` around token parsing and JWT decoding, which masks malformed Authorization headers, expired tokens, invalid signatures, and unrelated programming errors behind the same response. In this context, the issue is amplified because the markdown markets the code as having proper error handling, which can mislead users into reusing a fragile authentication pattern in real services.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The example instructs users to run `python api.py`, which starts a live Flask server with `debug=True` and processes registration/login credentials, but the markdown does not warn about the risks of exposing a debug server or handling real authentication data in a sample app. This context increases danger because the surrounding text says the code is ready to run immediately and production-ready, encouraging unsafe real-world use rather than isolated local testing.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal