ClawHub

Network Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate network-scanning skill, but it builds shell commands from scan parameters in a way that can let malformed input run unintended local commands.

Review before installing. Use only on networks you own or are authorized to scan, avoid untrusted network names, CIDRs, DNS values, and config files, and prefer --no-sudo unless MAC discovery is required. The publisher should replace shell=True command strings with argument-list subprocess calls and validate CIDR/DNS/config inputs before this is treated as low risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, timeout=60):
    """Run a shell command and return output."""
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)
        return result.stdout.strip()
    except subprocess.TimeoutExpired:
        return ""
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=timeout)

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal