Clawhub Gate

Security checks across malware telemetry and agentic risk

Overview

This is a real security-gate helper, but it can publish a skill even when the user asks for the documented local-only check.

Install only if you are comfortable with a helper that can publish or update ClawHub skills using your logged-in account. Do not rely on `--local-only` as written; the script should be fixed to skip `clawhub sync` before any local-only run and should require an explicit publish confirmation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill performs network-capable actions (`clawhub sync` and polling a remote API, plus reading a local token from `~/.config/clawhub/config.json`) but declares no corresponding permissions or capabilities in the manifest. This creates a transparency and policy-enforcement gap: users or the hosting platform may not realize the skill can publish content and make authenticated network requests.

Vague Triggers

High

Confidence: 96% confidence
Finding: The manifest trigger regexes are extremely broad (`(.*)` around generic words like '发布', 'sync', '安全', '检测'), making accidental activation likely in ordinary conversation. Because this skill can run local scanners, read config, perform authenticated network polling, and invoke `clawhub sync` to publish/update a skill, unintended activation could cause disruptive or unauthorized actions.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal