ClawHub

Changshu Dev Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it bundles broad local access, external LLM calls, cross-skill execution, and conflicting privacy/scope documentation that users should review carefully before installing.

Install only if you are comfortable with a broad local developer assistant. Review the code before use, avoid enabling external LLM settings for sensitive projects unless you intend to transmit prompts, do not pass secrets on the command line, restrict WIKI_PATH or search targets to non-sensitive folders, and be cautious with the run/convert features because they can execute or import code from other Hermes skill locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if args:
                query = ' '.join(args)
                cmd.extend(["-q", query])
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
            if result.returncode == 0:
                return result.stdout
            else:
Confidence
94% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and documents capabilities that include environment-variable access, file read/write, shell execution, and network use, but it does not declare any permissions boundary. This creates a trust and review gap: operators may treat it as a lower-risk local helper while it can access sensitive local data and invoke external services or subprocesses.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as a focused local Dameng migration and scanning assistant, but the behavior described extends to general LLM chat via external APIs, persistent monitoring, prompt CRUD, diagnostics, and subprocess-based interaction. This mismatch is dangerous because users and reviewers may authorize the skill under a narrower threat model than its actual behavior, increasing the chance of unintended data exposure or risky execution.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implementation materially exceeds the stated manifest scope by including interactive chat, system diagnosis, external LLM calling, and Hermes skill inspection/execution capabilities. Scope expansion is dangerous because users may trust the manifest and grant the tool access or run modes they would not expect, increasing the chance of privacy leakage or unsafe execution paths.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The assistant exposes a direct wrapper for executing arbitrary Hermes skills, which is not justified by its declared focus on Dameng migration, code scanning, and knowledge search. In skill ecosystems, running another skill can transitively execute untrusted logic, access local files, or invoke further tools, making this a significant trust-boundary violation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The search function recursively traverses ~/wiki and reads every Markdown file, then returns previews of matching content. That is broader local file access than required for core database tooling and can expose unrelated sensitive notes if the capability is invoked unexpectedly or by a higher-level agent without clear user awareness.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The tool dynamically imports and instantiates Python code from ~/.hermes/skills/sql-splitter/scripts/dm_converter.py after modifying sys.path. Any attacker who can alter that file or path can cause arbitrary code execution in the context of this tool, creating an unjustified cross-skill trust boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The quickstart presents the skill as a broad system-management, programming, database, and AI assistant, which materially exceeds the declared scope of database migration, code security scanning, and knowledge search. Scope inflation is dangerous because users may grant trust, permissions, or run commands under false assumptions about what the skill is supposed to do, increasing the chance of over-privileged use and unintended actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section advertises operational commands for diagnosis, monitoring, log access, automation, and model/provider integration that are broader than the declared skill purpose. Even if only documented, these commands normalize sensitive host interaction and can mislead users into invoking functionality with access to logs, system state, or external services without an accurate security boundary.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation claims fully offline use and that data will not be uploaded to the cloud, while elsewhere it documents external model/provider integration and Claude Code interoperability. This creates a misleading privacy and data-handling guarantee that could cause users to expose sensitive code, logs, or database content under the false belief that no external transmission can occur.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
User prompts and optional system prompts are sent to externally configured AI endpoints with no explicit runtime disclosure, consent, or data-classification safeguards. In a local-assistant context, users may assume prompts stay on-device; silent transmission can expose source code, credentials, database details, or proprietary content to third-party services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code invokes external Hermes commands, including skill execution, without warning the user that a subprocess and potentially untrusted external automation will run. This is risky because users may believe they are only interacting with a local assistant command when they are actually triggering another executable and skill runtime.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The connection test uses supplied credentials to initiate a live network connection, but the CLI does not clearly warn that credentials will be transmitted to a remote server. In an agent setting, that can lead to surprising secret use or unreviewed outbound access, especially when host and port are user-controlled.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The tag search not only reads local Markdown files but also returns content previews from them. Even if limited to .md files, this can surface sensitive local knowledge-base content without an explicit warning, which is risky in an assistant context that is not primarily a note-reading tool.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Commands for monitoring, log analysis, and automation are presented without disclosure that they may read local operational data, application logs, or other potentially sensitive system information. Lack of notice weakens informed consent and can lead users to expose secrets, credentials, or private operational context unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal