ClawHub

Trace Debugger Safety

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a trace/log debugging helper, but the supplied evidence shows it can automatically run Codex in a local repository context using log-derived prompts.

Install only if you are comfortable with a debugging skill that may read observability logs, inspect a local repository, write reports, and invoke Codex from that repository context. Use it only on trusted logs or after confirming Codex execution is explicitly opt-in, repo paths are user-supplied, and sensitive log fields are redacted before analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

    try:
        p = subprocess.run(
            ["codex", "exec", prompt],
            cwd=repo_path,
            capture_output=True,
Confidence
96% confidence
Finding
p = subprocess.run( ["codex", "exec", prompt], cwd=repo_path, capture_output=True, text=True, timeout=240, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs use of capabilities equivalent to network access, shell execution, and local file read/write, but declares no permissions. That mismatch undermines least-privilege enforcement and prevents reviewers or runtime policy from accurately gating access, which is especially risky here because the workflow pulls untrusted logs, may inspect a local repository, and writes/deletes report files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a true security issue because the skill claims safer behavior while the described implementation reportedly still hardcodes a repo path, lacks a real --no-codex disable path, and exposes repository scanning/code extraction beyond the declared purpose. Security-feature misrepresentation is dangerous: operators may trust the skill in hostile log environments and inadvertently allow prompt-injection into Codex or unintended local code exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation contradicts the safety claims in the skill metadata: Codex runs automatically whenever logs exist, and a hardcoded default repository path is still present. This mismatch is security-relevant because users may trust the 'safer' description and unknowingly expose local code or secrets to analysis driven by attacker-controlled logs.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The report warns that Codex prompt injection is the primary risk and advises against use with untrusted logs, yet the script has already sent those raw logs to Codex before writing that warning. This is dangerous because the caution is post hoc and does not reduce exposure; it may create a false sense of safety while the vulnerable behavior remains automatic.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal