ClawHub
Back to skill

Security audit

Genos基因序列分析

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for DNA analysis, but installing or using it can automatically run local Python and model-provided code with broad, under-scoped setup behavior.

Review before installing. Use a virtual environment or container, inspect and pin dependencies, download Genos models only from verified official sources, avoid entering a Hugging Face token unless necessary, and require explicit approval before first model loading because trust_remote_code=True can execute model repository Python code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Tainted flow: 'model_status_file' from os.environ.get (line 45, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
model_status_dir = os.path.dirname(model_status_file)
    if model_status_dir and not os.path.exists(model_status_dir):
        os.makedirs(model_status_dir, exist_ok=True)
    with open(model_status_file, 'w') as f:
        f.write('loaded')
Confidence
95% confidence
Finding
with open(model_status_file, 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions, yet its instructions require access to environment variables, filesystem reads/writes, and shell execution to check model state and run a Python startup command. This creates an implicit capability escalation: an agent may perform side effects the user did not authorize, including modifying local files and executing code.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is DNA analysis, but the documented behavior expands into operational actions such as downloading large models, performing authentication, and writing status/config files. This mismatch is dangerous because users and orchestration systems may invoke the skill expecting analysis only, while the agent instead performs networked installation and local state changes.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The document says model state is tracked in './scripts/.model_loaded', while the startup command writes './.model_loaded'. This inconsistency can cause repeated initialization attempts, incorrect state detection, or writes to unintended locations, increasing the chance of unsafe or confusing agent behavior.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown explicitly instructs the agent to automatically check local state, execute a Python command, and write a status file before using the skill, without any user-facing warning or confirmation. This is dangerous because it normalizes silent code execution and filesystem modification as part of routine skill use, which can be abused or cause unexpected side effects in the host environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prompts for a Hugging Face token using a normal `read -p`, which echoes the secret to the terminal and may expose it to shoulder-surfing, terminal recording, or copied session logs. It then immediately uses the credential with `huggingface-cli login`, so the skill directly handles a sensitive secret without basic protections or warning the user.

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.35.0
tokenizers>=0.15.0
numpy>=1.24.0
Confidence
94% confidence
Finding
torch>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.35.0
tokenizers>=0.15.0
numpy>=1.24.0
Confidence
94% confidence
Finding
transformers>=4.35.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.35.0
tokenizers>=0.15.0
numpy>=1.24.0
Confidence
89% confidence
Finding
tokenizers>=0.15.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
transformers>=4.35.0
tokenizers>=0.15.0
numpy>=1.24.0
Confidence
90% confidence
Finding
numpy>=1.24.0

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
torch

Known Vulnerable Dependency: transformers — 10 advisory(ies): CVE-2023-2800 (transformers has Insecure Temporary File); CVE-2025-3933 (Transformers is vulnerable to ReDoS attack through its DonutProcessor class); CVE-2024-3568 (Transformers Deserialization of Untrusted Data vulnerability) +7 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
transformers

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
84% confidence
Finding
numpy

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal