ClawHub

Iserv

Security checks across malware telemetry and agentic risk

Overview

This is a real IServ school-platform client, but it gives an agent broad account access and includes unsafe download and destructive remote actions that need careful review.

Install only if you trust this script with the IServ account and server URL. Protect ISERV_* credentials, avoid shared shells or logs, and require exact confirmation before any send, upload, submit, rename, move, or delete command. Avoid downloading from untrusted or unexpected IServ instances until filename sanitization is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly uses sensitive capabilities like network access and environment-based credential loading, but the manifest does not declare permissions or explicitly scope those capabilities. This weakens user understanding and reviewability, making it easier for a credentialed network client to be run with broader access than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose frames the skill as a general IServ client, but the actual behaviors include higher-sensitivity actions such as reading full mail, sending messages, recursive file search, and downloading attachments. That mismatch increases the risk of over-privileged or surprising data access, especially because the skill operates against student accounts containing private communications and files.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The skill description and top-level docstring frame the tool as a minimal HTTP client for reading student data, but the implementation also supports sending mail, sending messenger messages, uploading files, renaming files, deleting files, and exercise submission. That capability expansion materially changes the trust boundary: an agent or caller expecting read-only access could unintentionally trigger state-changing remote actions on a live school account.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The docstring explicitly states a goal of providing read access, yet the code implements multiple remote write actions including mail send/reply, messenger send, file upload, mkdir, rename, delete, and exercise submission. This mismatch can mislead reviewers, operators, or higher-level agents into granting broader capabilities than intended, increasing the chance of unauthorized or destructive actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs users to provide credentials through environment variables but does not warn that these values are sensitive and may be exposed through shell history, process inspection, logs, screenshots, or shared environments. Because the credentials grant access to school mail, files, messenger data, and submissions, poor handling can lead to account compromise and privacy breaches.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code exposes remote file deletion directly and tries multiple deletion endpoints automatically, with no confirmation, dry-run mode, path allowlist, or recycle-bin safeguard. In an agent setting, a mistaken prompt interpretation or malicious instruction could irreversibly delete user data from the school platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal