ClawHub

Trace Debuger

Security checks across malware telemetry and agentic risk

Overview

This trace-debugging skill does what it says, but it can automatically send raw logs and repository context into Codex without redaction or a clear opt-in boundary.

Review before installing or running on real production data. Use only with logs and repositories that are approved for Codex inspection, redact secrets and personal data first, and keep a copy of the generated report if you need auditability because the skill instructs deletion after sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

    try:
        p = subprocess.run(
            ["codex", "exec", prompt],
            cwd=repo_path,
            capture_output=True,
Confidence
93% confidence
Finding
p = subprocess.run( ["codex", "exec", prompt], cwd=repo_path, capture_output=True, text=True, timeout=240, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill invokes a Python script that performs network access to Jaeger and Elasticsearch, reads a local repository path, writes a Markdown report, and references shell-style automation (`codex exec` equivalent), yet it declares no permissions. This creates a dangerous mismatch between apparent and actual capabilities, preventing informed consent and making it easier for a user or orchestrator to run code with filesystem, network, and command-execution side effects they did not explicitly approve.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This skill goes beyond deterministic trace/log retrieval by invoking an external agent-like CLI to analyze logs and code. In a security context, that materially increases the attack surface because untrusted log content can influence downstream model behavior and the subprocess may access or transmit repository data outside the user's expectations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script recursively walks the supplied repository, opens Go source files, and extracts matching content and caller-linked lines. That broad source-code discovery is risky because it can expose unrelated proprietary code and secrets from a repo, especially when later combined with logs and included in generated output or external analysis.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instruction to delete the local Markdown file at the end is a destructive filesystem action that is not surfaced as a risk or made optional for the user. Even if the deleted file is generated output, automatic cleanup can remove evidence, interfere with audits or debugging, and violate user expectations about artifact retention.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Raw logs are packaged into a natural-language prompt and sent to an external `codex` subprocess without any user-facing notice, consent, or redaction step. Logs often contain credentials, personal data, internal endpoints, stack traces, or business-sensitive events, so undisclosed external transmission is a real confidentiality risk.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The script writes a Markdown report containing trace identifiers, log messages, errors, caller paths, and code snippets to disk by default. This creates a persistent local disclosure risk because sensitive operational and source-code details may be stored in insecure locations, uploaded by CI, or read by other users/processes.

Ssd 3

Medium
Confidence
96% confidence
Finding
The prompt includes raw log contents and asks for combined code/log analysis, creating a direct path for sensitive log data to be reproduced by the model and carried into downstream output. Because logs are untrusted input, this also raises prompt-injection risk where malicious log text steers the external analyzer to reveal more data or produce unsafe conclusions.

Ssd 3

Medium
Confidence
97% confidence
Finding
The generated report echoes detailed logs, raw Codex output, repository hints, caller paths, and code lines into a single artifact. This amplifies disclosure risk by aggregating sensitive telemetry and source context into a durable file that may be shared in tickets, CI artifacts, or incident channels beyond the original need-to-know scope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal