ClawHub

Skill Forge

Security checks across malware telemetry and agentic risk

Overview

This is a coherent skill-building tool, but it can rewrite local skills and publish generated artifacts externally with weak review and confirmation boundaries.

Install only if you intend to use an active skill factory, not a passive documentation helper. Review generated files before running them, avoid --publish until content and metadata are checked, use least-privilege or test accounts for browser publishing, and run batch optimization only on a backed-up skill workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and documents capabilities such as generating files, deployment scripts, publishing workflows, and invoking external commands, but it does not declare corresponding permissions. This creates a trust and consent gap: an agent or runtime may permit file and shell operations without the user understanding the full execution scope, increasing the chance of unauthorized local changes or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior expands beyond simple skill fusion into direct publishing, batch modification of existing skills, repository index generation, and deployment artifact creation. That mismatch is dangerous because users may invoke the skill expecting documentation assistance while it performs broader system-modifying or externally visible actions, which undermines informed consent and can lead to unintended publication or mass file changes.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically emits a deployment configuration with publish enabled and visibility set to public, which can cause generated agents to be prepared for broad distribution without an explicit opt-in safety gate. In this skill's context, which is designed as an automated production line for turning skills into deployable agents, that default increases the chance that unsafe, unreviewed, or over-privileged agents are exposed externally.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script does more than local skill generation: it prepares marketplace publication metadata and can actively publish generated artifacts to ClawHub via an external command. In a skill-generation context, crossing from content generation into external distribution is security-relevant because it can expose unreviewed artifacts publicly and trigger irreversible side effects beyond the local workspace.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The optimize-all path rewrites existing SKILL.md files in the workspace and creates backups, which is a stronger capability than passive analysis or scaffolding. In this skill's context, broad write access to an entire skill library increases the risk of unintended tampering, corruption, or propagation of generated content across many installed skills.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script invokes an external CLI subprocess to publish artifacts, extending its power from local file generation to external system interaction. Even though it uses a fixed argument list rather than a shell string, the security issue is the side effect itself: the tool can push artifacts outward without sufficient separation of duties, review, or safety gating.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger example '帮我处理一下业务需求' is so broad that ordinary conversation could activate the skill unintentionally. In a skill that can generate files, deployment assets, and publishing flows, accidental invocation can cascade into unwanted analysis, file creation, or follow-on automation.

Vague Triggers

High
Confidence
89% confidence
Finding
The phrase '需要批量处理' is ambiguous and lacks any constraint tying it to this skill's domain. Because the skill supports batch construction and deployment-related outputs, such a vague trigger raises the risk of misrouting normal batch requests into a powerful automation pipeline.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation promotes deployment script generation, batch builds, and one-click publishing without clearly warning that these actions may modify local files, create executable artifacts, or publish content externally. Users may therefore authorize the skill without understanding the operational and security consequences, especially in an automated agent environment.

Missing User Warnings

High
Confidence
95% confidence
Finding
Automatic multi-platform publishing through browser automation is high risk because it can interact with authenticated sessions, submit forms, and transmit content or screenshots to external services. Without clear privacy, account-safety, and external-action warnings, users may unknowingly expose credentials, publish sensitive data, or trigger irreversible actions on third-party platforms.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In batch optimization mode, the script silently overwrites existing skill files and creates backup files without prior confirmation. This is dangerous because users may run the command expecting analysis or minor formatting, but instead it performs broad persistent changes across the workspace, which can damage trusted skill definitions or introduce unintended content at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Single-skill optimization also overwrites the target SKILL.md and writes a backup immediately, without an explicit warning or approval step. Although narrower than batch mode, it still creates silent filesystem side effects that can surprise users and alter deployment behavior if the edited skill is already in use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Demand mode creates directories and writes multiple files such as SKILL.md, agent-config.json, and claw.json without a prominent warning about the resulting filesystem changes. In this skill's context, this matters because user input directly drives artifact generation, so an operator may unintentionally populate the workspace with deployable content and metadata they did not intend to create.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When --publish is used, the script executes a publish command with an affirmative flag and only prints a progress message, not a meaningful warning or final confirmation. This is more dangerous than ordinary file writes because it can cause immediate external publication of generated artifacts, potentially exposing internal content, metadata, or low-quality/unreviewed skills to a public marketplace.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool automatically creates directories and writes files into the shared skills workspace as soon as a demand matches, without confirmation, dry-run mode, or destination safeguards. In an agent or automated pipeline context, this can lead to unintended workspace modification, clutter, overwrite-style collisions, or poisoning of a skill repository through unreviewed generated artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal