ClawHub
Back to skill

Security audit

ensp

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only helper for creating local eNSP topology files, with no evidence of hidden execution, credential access, networking, or persistence beyond the expected output file.

Install this if you want an agent to generate eNSP `.topo` files from network descriptions. Use it in a directory where creating new topology files is acceptable, pick clear filenames, and review generated topology details before opening them in eNSP if they describe sensitive or complex networks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation trigger is overly broad because it says to always use this skill when a user asks to create, generate, or design a network topology diagram for eNSP, which can match many ordinary requests without clear exclusion criteria. This can cause the agent to invoke the skill inappropriately, leading to unintended file generation and tool use in contexts where the user may have wanted discussion, planning, or a different output format instead.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs writing a .topo file to the current directory using the Write tool without requiring prior user confirmation or warning that a filesystem side effect will occur. This is dangerous because an agent may create files unexpectedly, potentially overwriting data, cluttering the workspace, or performing actions the user did not knowingly authorize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal