ClawHub

Genor's Project Orchestration

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for project orchestration, but it exposes an unauthenticated network dashboard and stores broad session/project context in plaintext.

Review before installing. Use it only if you are comfortable with local persistent orchestration logs and network provider probes. Keep the dashboard bound to localhost or behind a firewall, avoid logging secrets or proprietary context, and only enable cron or PM2 after explicitly deciding you want long-running persistence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and operationalizes shell, file, environment, and network capabilities through multiple bash scripts and workflow instructions, but it does not declare corresponding permissions or user-facing guardrails. This creates a capability-transparency gap where an agent may perform impactful actions such as writing files, probing network providers, or starting services without the user understanding the scope of access.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The server binds to 0.0.0.0 and exposes POST and DELETE endpoints that allow anyone who can reach the port to create, modify, or delete persistent model records with no authentication or authorization checks. In an orchestration skill, model configuration directly influences routing and operational behavior, so unauthorized changes can disrupt workflows, poison metadata, or steer agents toward unsafe or costly models.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The POST handler accepts arbitrary JSON fields and persists them wholesale into models.json, only performing shallow merging for a couple of nested objects. This enables untrusted clients to inject unexpected keys or overwrite sensitive metadata that other orchestration components may later trust, creating configuration poisoning and potentially unsafe downstream behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script explicitly instructs the LLM to perform 'Project discovery' by checking broad home-directory locations such as ~/projects/ and ~/code/. That expands scope from onboarding/orchestration into filesystem enumeration of potentially sensitive user workspaces without a clear need, and in an LLM-driven flow this can normalize overbroad access requests or collection of unrelated project metadata.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase "onboard" is extremely broad and likely to appear in normal conversation, making accidental activation plausible. Because activation leads to execution of a setup script, an ordinary user request could unintentionally cause shell commands, file changes, or environment modifications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill enumerates scripts that scaffold projects, log sessions, probe providers, test connectivity, and start a dashboard, but it does not clearly warn users about file writes, telemetry/logging, network access, or long-running local services. That omission increases the risk of users invoking actions with system or privacy impact they did not meaningfully consent to.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The onboarding flow instructs the agent to probe local services, inspect common project directories, and execute multiple shell scripts and commands, but it does not require explicit, granular user consent before each action or clearly disclose what data may be collected. In an orchestration skill, these behaviors increase risk because they can enumerate local assets, reveal sensitive project metadata, and make persistent system changes such as installing cron jobs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script persists full task details, notes, and optional context directly to disk in plaintext session files and project tracking JSON without any sensitivity checks, redaction, or user warning. In an orchestration skill, those fields can easily contain secrets, proprietary code fragments, incident details, or other sensitive operational context, so the logging behavior creates a real confidentiality risk if the data directory is shared, backed up, or later accessed by other tools or users.

Context Leakage

High
Category
Data Exfiltration
Content
|--------|---------|
| `bash {baseDir}/scripts/onboard.sh` | First-time setup |
| `bash {baseDir}/scripts/init-project.sh <path> <name> [stack]` | Scaffold project |
| `bash {baseDir}/scripts/log-session.sh ...` | Log session |
| `bash {baseDir}/scripts/log-decision.sh ...` | Log ADR |
| `bash {baseDir}/scripts/check-prices.sh` | Price check |
| `bash {baseDir}/scripts/discover-models.sh` | Probe providers |
Confidence
79% confidence
Finding
Log session

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal