ClawHub

Skillsign — ed25519 Skill Signing

Security checks across malware telemetry and agentic risk

Overview

This is a local signing tool, but its trusted-author checks can be misled by editable metadata, so users should review it before relying on it for security.

Use this only as a local utility until the trust-binding issue is fixed. Do not rely on TRUSTED labels, inspect output, or provenance chains as proof of author identity. Protect ~/.skillsign private keys, only trust keys from sources you verify independently, and treat VirusTotal/static-clean results as helpful but not a substitute for fixing the verification logic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation advertises file read, file write, and shell capabilities, but no explicit permission model or declared permissions are present. In an agent ecosystem, this creates a mismatch between what the skill can do and what reviewers or policy engines may expect, increasing the chance of over-privileged execution or unsafe use of a tool that manipulates local files and key material.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool advertises provenance-chain support, but verification only validates the current manifest signature and never authenticates or checks the contents of chain.json. An attacker can therefore forge or rewrite provenance history to make a skill appear to come through a trusted lineage, misleading users who rely on the chain for supply-chain decisions.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The inspect command reads signer.json and manifest.json without cryptographic verification, yet displays a TRUSTED/UNTRUSTED label based on the fingerprint found in that unsigned metadata. A tampered folder can therefore present a trusted-looking identity during inspection, creating UI-driven trust confusion even though authenticity has not been established.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal