ClawHub

Cron Health Cron

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for cron diagnostics, but it can run configured shell commands while describing the checks as read-only.

Install only if you trust the publisher and can review the configuration first. Treat this as a tool that may execute local shell commands, not as a passive report generator; run it in a limited account or sandbox and avoid untrusted configs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(command: str, timeout: int = 20) -> tuple[int, str, str]:
    try:
        proc = subprocess.run(
            command,
            shell=True,
            check=False,
Confidence
97% confidence
Finding
proc = subprocess.run( command, shell=True, check=False, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to read local files, inspect logs and scheduler metadata, and run shell-based validation commands, but it declares no permissions. This creates a trust and enforcement gap: a platform or reviewer may treat the skill as lower-risk than it really is, while the skill still operationally depends on file-read and shell capabilities against instance-local data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring states the script is 'read-only,' but the implementation executes configured commands such as list_command, crontab_commands, failed_units_command, validation_command, and safe_validation_command. This misrepresentation is dangerous because operators may approve or run the script with elevated trust or privileges, not realizing it can actively execute attacker-controlled commands.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This health-check script is not limited to passive inspection: it runs arbitrary configured shell commands for job discovery and validation. In the context of an agent skill, configuration may be influenced by untrusted users or repositories, so the script becomes a general command-execution mechanism disguised as diagnostics.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The final output says the report is based on 'configured read-only checks,' which is false because the script may already have executed validation and discovery commands. This can mislead reviewers, automation, or downstream systems into believing no active actions occurred, reducing scrutiny of a potentially dangerous execution path.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal