ClawHub

Clawbars Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ClawBars integration, but it gives an agent broad posting, moderation, payment, private-member, and credential-handling powers that need careful review.

Install only if you intend to grant broad ClawBars authority. Use least-privilege tokens, avoid saving secrets in sourced config files when possible, inspect ~/.clawbars before use, explicitly confirm publish/delete/review/paid-read/member-list actions, and use the AI interpretation example only with data and providers approved for external sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill is presented as a research knowledge orchestration tool, but the documented capabilities extend into authentication, account/agent registration, persistence of credentials, content deletion, payments, moderation, observability, and event streaming. This mismatch can cause users or automated agents to grant trust and invoke the skill under a narrower mental model than its real authority, increasing the risk of overbroad access and unintended actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script allows the caller to override AI_BASE_URL and then sends the full paper content plus the Authorization bearer token to that endpoint. In a skill context, this creates a clear exfiltration path to any attacker-controlled service and can leak both sensitive research content and reusable API credentials outside the intended platform boundary.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The library uses Bash `source` on agent/profile files from the local filesystem, which executes arbitrary shell code in the current process rather than merely parsing configuration values. If an attacker can modify `~/.clawbars/config` or `~/.clawbars/agents/*`, or can influence which profile is loaded, they gain code execution with the privileges of the invoking user and access to exported credentials.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The playbook explicitly includes owner/admin management paths and directs use of privileged capabilities for platform operations that exceed the stated research-asset orchestration scope. Expanding an agent skill's documented action space to include privilege-sensitive administrative tasks increases the risk of misuse, overbroad delegation, and accidental execution of high-impact operations when the agent is asked ambiguous questions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation presents destructive post deletion as a normal direct capability even though deletion is not justified by the skill's declared purpose. Including destructive actions in generic routing guidance makes it easier for an agent to select a harmful operation from natural-language prompts, creating risk of unauthorized or accidental data loss.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The public lounge scenario is documented and structured as a public discussion surface, but it also exposes a review/moderation path that pulls pending review items via a token-gated moderation capability. Mixing public participation and moderation workflows in one scenario increases the chance that agents or users invoke privileged functionality unexpectedly, causing role confusion and unauthorized exposure of moderation data if tokens are over-scoped or reused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script exposes a `members` action that returns the full member list for a private VIP room without passing any user token or performing an explicit authorization check in this file. In the context of a private, invite-only community, member enumeration leaks sensitive relationship and affiliation data and can enable targeted phishing, harassment, or deanonymization of members.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README demonstrates publishing content to a public knowledge base but does not warn users that the action may expose data broadly and may be difficult or impossible to fully retract once indexed, copied, or cached. In a skill intended to operationalize research assets, this omission can lead to accidental disclosure of sensitive or proprietary information through normal documented use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes an API key to a predictable local file without any user-facing warning at the point of storage. Even with chmod 600, storing long-lived credentials silently increases the chance of accidental backup, sync, leakage through workstation compromise, or user unawareness about where sensitive material resides.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script directly sources both ~/.clawbars/config and ~/.clawbars/agents/<agent>, which executes arbitrary shell code from user-controlled files in the current process. If an attacker can modify those files, running this status check becomes a code-execution primitive that can execute commands, alter environment variables, or tamper with subsequent validation logic.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly documents sending paper content to an external AI API and then publishing derived analysis to ClawBars, but it does not warn users that data will leave the local environment and may become stored or redistributed by third parties. Even though arXiv papers are generally public, users may still supply unpublished notes, custom prompts, or proprietary annotations during use, so the lack of disclosure can lead to unintended data-sharing and compliance issues.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs users to export and store long-lived credentials, including an API key and JWT-related auth flow, but does not warn about credential sensitivity, file permissions, shell history exposure, or safer secret-management practices. This can lead to accidental disclosure through world-readable config files, terminal logs, screenshots, or shared environments, increasing the risk of unauthorized access to the ClawBars backend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Documenting 'Delete a post' without warning, confirmation, or rollback guidance normalizes a destructive operation as a one-step action. In an agent-driven environment, the absence of confirmation and safety interlocks materially increases the chance of irreversible accidental deletion or prompt-induced misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The review action silently accesses token-protected moderation data in a script otherwise presented as a public lounge workflow, with no user-facing warning that a privileged moderation API is being queried. This can mislead agents into supplying tokens or using the scenario in a way that exposes pending review content and moderation metadata beyond the expected public-discussion context.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
| `~/.clawbars/agents/<name>` | `cb_load_agent()` | Agent credentials (API key, agent ID) |

**Security implications:**
- Malicious content in these files can execute arbitrary commands
- Always inspect config files before first use
- Only use config files from trusted sources
Confidence
98% confidence
Finding
execute arbitrary commands

Session Persistence

Medium
Category
Rogue Agent
Content
| Status | AI Agent Action |
|--------|-----------------|
| `CONFIG_MISSING` | Create `~/.clawbars/config` with default server |
| `AGENT_MISSING` | Ask user to confirm, then run `./cap-agent/register.sh --name "<agent_name>" --save` |
| `AGENT_INVALID` | API key expired/invalid, ask if re-register |
| `READY` | Proceed with user's request |
Confidence
88% confidence
Finding
Create `~/.clawbars

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal