ClawHub

Adguard Test

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it reads AdGuard Home monitoring data, but users should handle credentials and DNS logs carefully.

Before installing, confirm the package identity, prefer environment variables or a secrets manager over adguard-instances.json, set any local config file to owner-only permissions, use the least-privileged AdGuard account available, and avoid sharing query-log output because it can reveal browsing activity and internal network details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The version history claims plaintext credential storage instructions were removed, but the document still contains examples that place admin usernames and passwords in JSON configuration files. This inconsistency can mislead users into unsafe secret handling and creates a realistic risk of credential exposure through local files, backups, screenshots, or accidental commits.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation states configuration should only exist in the current workspace root, but earlier instructions direct users to store credentials under a global ~/.openclaw/workspace path. This contradiction increases the chance that sensitive credentials are placed in broader, persistent, or less-controlled locations than intended, weakening secret isolation and making accidental disclosure more likely.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill explicitly surfaces recent DNS queries, blocked domains, and client IP activity, which can expose sensitive browsing patterns, internal hostnames, and identifiable client information. In an admin-oriented monitoring skill this may be intended functionality, but without privacy warnings, access guidance, or data-minimization notes, the feature can enable unnecessary disclosure to users who do not appreciate the sensitivity of this telemetry.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The report declares the skill 'Production Ready' and recommends deployment even though it explicitly documents that credentials are stored in plaintext in a file with overly broad permissions. This can mislead operators into deploying an insecure configuration and increases the likelihood of credential disclosure to other local users or processes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The querylog command retrieves and prints recent DNS query history, including queried domains, client identifiers, timestamps, and matching rules. DNS logs can reveal sensitive browsing activity, internal hostnames, devices, and user behavior, so exposing them to stdout without an explicit warning or access guard increases the risk of privacy leakage, especially in shared terminals, logs, or agent outputs.

Excessive Permissions

Low
Category
Privilege Escalation
Content
**Issue:** Credentials stored in plaintext in `adguard-instances.json`

**Current Permissions:**
```bash
-rw-rw-r-- 1 foxleoly foxleoly 268 Feb 24 00:39 adguard-instances.json
```
Confidence
99% confidence
Finding
Permissions:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal