ClawHub

Clawhub Manager

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate ClawHub management skill, but a scanner test script can unexpectedly reach the real publish flow and the publish script includes a security-scan bypass.

Install only if you are comfortable with a tool that can publish and delete ClawHub skills using your active CLI login. Verify the logged-in account and target directory before publishing, avoid --skip-security for real releases, and do not run test-security-scan.sh unless you accept possible live publish side effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Unsafe Defaults

Medium
Category
Tool Misuse
Content
### ⚙️ 改进

- **发布流程优化**:安全扫描失败时会阻止发布,并提供修复建议
- **跳过选项**:添加 `--skip-security` 参数(不推荐,仅用于测试)

### 🔧 技术细节
Confidence
81% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
bash test-security-scan.sh

# 跳过安全扫描(不推荐)
bash publish.sh /path/to/skill --version 1.0.0 --skip-security
```

---
Confidence
87% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
```bash
# ⚠️ 仅在测试环境使用
bash publish.sh /path/to/skill --version 1.0.0 --skip-security
```

### 3. 手动安全检查
Confidence
88% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
```bash
# ⚠️ 仅在测试环境使用
bash publish.sh /path/to/skill --version 1.0.0 --skip-security
```

## 注意事项
Confidence
89% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
SLUG=""
NAME=""
CHANGELOG=""
SKIP_SECURITY=""

while [[ $# -gt 0 ]]; do
  case $1 in
Confidence
86% confidence
Finding
SKIP_SECURITY

Unsafe Defaults

Medium
Category
Tool Misuse
Content
CHANGELOG="$2"
      shift 2
      ;;
    --skip-security)
      SKIP_SECURITY="yes"
      shift
      ;;
Confidence
90% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
shift 2
      ;;
    --skip-security)
      SKIP_SECURITY="yes"
      shift
      ;;
    *)
Confidence
90% confidence
Finding
SKIP_SECURITY

Unsafe Defaults

Medium
Category
Tool Misuse
Content
echo "  --slug <slug>         技能 slug(可选)"
  echo "  --name <name>         显示名称(可选)"
  echo "  --changelog <text>    更新日志(可选)"
  echo "  --skip-security       跳过安全扫描(不推荐)"
  echo ""
  echo "示例:"
  echo "  $0 /path/to/skill --version 1.0.0"
Confidence
84% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
echo "  3. 确保敏感文件在 .gitignore 中"
    echo "  4. 撤销已泄露的密钥并重新生成"
    echo ""
    echo "如需跳过安全扫描(不推荐),使用 --skip-security 参数"
    return 1
  fi
}
Confidence
85% confidence
Finding
skip-security

Unsafe Defaults

Medium
Category
Tool Misuse
Content
}

# 执行安全扫描(除非显式跳过)
if [ "$SKIP_SECURITY" != "yes" ]; then
  if ! security_scan "$SKILL_PATH"; then
    echo "⚠️  发布已取消"
    exit 1
Confidence
92% confidence
Finding
SKIP_SECURITY

Unsafe Defaults

Medium
Category
Tool Misuse
Content
exit 1
  fi
else
  echo "⚠️  警告:已跳过安全扫描(--skip-security)"
  echo ""
fi
Confidence
87% confidence
Finding
skip-security

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal