ClawHub

timeplus-app-builder

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for building and installing Timeplus app bundles; its server-changing examples are disclosed and aligned with that purpose.

Install only Timeplus apps whose DDL, Python UDFs, package list, webhook targets, and config secrets you have reviewed. Pay special attention to optional python_packages, named collections holding secrets, scheduled tasks, alerts, inputs that bind ports, and any external streams or webhooks, because those can persist or execute on the Timeplus server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The alert example shows `CALL {{ .DB }}.notify_slack` even though the document repeatedly states that UDFs are global and must not be database-qualified. This inconsistency can cause users to generate invalid app DDL or misunderstand function resolution during installs, creating avoidable deployment failures in a workflow that modifies server state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that `python_packages` are installed automatically before DDL runs, but it does not clearly warn that this executes third-party code or package installation logic on the target server. In this context, app manifests are installable artifacts, so encouraging package installation without strong trust and provenance guidance increases supply-chain and remote-code-execution risk on the Timeplus host.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal