ClawHub

AI元认知置信度追踪器

Security checks across malware telemetry and agentic risk

Overview

This confidence-checking skill has a legitimate purpose, but it under-discloses that it can send both user questions and answers to MiniMax through a local CLI using the user's API key.

Install only if you are comfortable with questions and generated answers being sent to MiniMax via a local `mmx` CLI using your MiniMax API key. Review or disable it for confidential chats, and expect the publisher to correct the privacy section, document the CLI and credential requirements, and make broader learning/reporting behavior explicitly opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = os.environ.copy()
    env["MINIMAX_API_KEY"] = api_key

    result = subprocess.run(cmd, capture_output=True, text=True, timeout=60, env=env)

    if result.returncode == 0:
        try:
Confidence
92% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60, env=env)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads API credentials from the environment and a user config file even though its declared purpose is only to assess answer confidence and add an uncertainty marker. This expands access to sensitive secrets and enables outbound calls without clear need or user awareness, which is a privilege/scope mismatch.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill spawns an external CLI to perform evaluation, giving it code-execution-like capability beyond a narrow confidence-labeling helper. In agent contexts, unnecessary subprocess execution materially increases risk because it depends on whatever 'mmx' binary is present and can transmit user content off-box.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The implementation sends the user's question and proposed answer to an external model for adjudication, which is broader than an internal self-awareness module and creates a privacy/data-sharing risk. Sensitive prompts or draft responses could be exposed to a third party without clear consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill does not define when it should activate, so it may be applied broadly to unrelated conversations or outputs. For a behavior-modifying skill that prepends uncertainty labels, ambiguous scope can cause unintended interception, inconsistent behavior, or abuse through unexpected triggering across contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code both loads credentials and performs outbound model invocation without any user-facing disclosure in the execution path. That combination is dangerous because users may reasonably expect a local confidence checker, not a component that accesses secrets and sends content to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal