ClawHub

Skill Graphify

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate graph-building skill, but it can install an unpinned Python package and save indexed project data locally.

Install and run this in a virtual environment when possible. Only point it at folders you are comfortable indexing, add .graphifyignore entries for secrets or private files, and review or delete graphify-out before sharing because the generated graph, report, HTML, and cache may contain project content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises operational behavior that includes shell execution, reading project files, and writing outputs, yet it declares no permissions or equivalent safety boundaries. This creates a transparency and consent problem: an agent could execute filesystem and shell actions the user did not reasonably expect, especially because it also performs installation and writes into the target directory.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is described as a cross-platform wrapper for a CLI, but the documented behavior goes beyond that by auto-installing a package via pip, generating and reading reports, and implying broader execution behavior. That mismatch can mislead operators about trust boundaries and side effects, increasing the risk of unintended package installation, filesystem modification, and data processing without informed consent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The wrapper automatically installs a package from PyPI at runtime when import graphify fails, which introduces a software supply-chain risk unrelated to merely operating on local files. A compromised package, typosquatted dependency, or hostile index configuration could lead to arbitrary code execution under the user's privileges.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Invoking pip from the wrapper expands the skill's capabilities from graph processing into package management, which materially increases attack surface. Because pip executes package installation logic and dependency resolution from external sources, this can become arbitrary code execution if the package source is malicious or unexpectedly altered.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instructions say output is written to `<project>/graphify-out/`, but the skill does not prominently warn that running it modifies the target project directory. In environments where the target folder is sensitive, version-controlled, or monitored, unexpected writes can contaminate repositories, affect tooling, or expose generated artifacts to later processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The notes disclose that semantic extraction for documents and images may use LLM subagents, but there is no clear privacy warning near usage that user content may be sent to external models or services. For codebases, papers, screenshots, or internal documents, this can lead to unintentional disclosure of proprietary or sensitive data during processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically installing packages without explicit user approval is dangerous because it performs a networked, code-acquiring action that users may not expect from a local graph wrapper. In this skill context, silent package installation is more concerning because the stated purpose is local graph construction/querying, not environment modification.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal