ClawHub

Clawdbot Security Suite

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local security validator, but its optional automatic hook has review-worthy risks: it shells out with user-controlled arguments, fails open, and persistently logs sensitive tool data.

Install only if you specifically want a local Clawdbot security validation layer. Prefer manual validation first; enable the automatic hook only after reviewing its shell invocation and fail-open behavior. Treat logs as sensitive, because commands, URLs, paths, and tool arguments may be retained locally. Do not treat an ALLOWED result as permission to run destructive or privileged commands without normal user approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The hook shells out to an external program using a constructed command string and execSync, which introduces an unnecessary code-execution boundary inside a security control. Because the path and arguments are interpolated into a shell command, a malformed path, quoting edge case, or compromised external validator can turn the security hook itself into an execution primitive, and a failed or tampered validator directly affects all security decisions.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The security validator explicitly allows tool execution when the validation skill is missing, returns unclear output, or throws an error. In a pre-execution security hook, this fail-open behavior defeats the stated protection model: an attacker who breaks, removes, or bypasses the validator gets unrestricted execution instead of being blocked.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The hook persistently logs security events and serialized context, potentially including tool arguments and other sensitive request data, to a file under the user's home directory. This creates a secondary data store of sensitive information that may be readable by other local processes, retained longer than intended, and accessed outside the original tool execution context.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The stated security philosophy explicitly says to allow execution when validation fails or is unclear, which creates a fail-open design. In a security skill, this is dangerous because an attacker can target parser failures, ambiguous outputs, or missing dependencies to bypass protection and still get dangerous commands executed.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example claims commands should always be validated before dangerous execution, but still runs eval "$command" when validation is unclear. That makes the validation gate ineffective in edge cases and allows attacker-crafted inputs or validator failures to reach shell execution.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation makes a strong privacy claim that analysis is local-only with no data transmission, yet elsewhere encourages external threat-intelligence updates and social-media following for updates. This inconsistency can mislead users into trusting the skill under false assumptions about network behavior and privacy boundaries.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file states that patterns are updated from community reports, CVE databases, and live detection sources, which implies external sourcing, while another section claims all analysis is local with no external calls. Security tooling that misrepresents online dependencies can cause unsafe deployment decisions in restricted or sensitive environments.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The document claims 'No data transmission' and 'No telemetry or external calls' while also advertising `security.sh update-patterns` and community threat intelligence updates. If updates require network access, this omission can mislead operators into enabling a feature that contacts external services, creating privacy, supply-chain, or egress policy risks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The hook is configured for both before_tool_call and after_tool_call and explicitly states it runs automatically on every tool call. Broad automatic invocation increases the chance of over-collection, accidental interference with unrelated tools, and exposure of sensitive tool parameters/results across the entire agent workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation advertises real-time logging and later states that all security events are logged, but it does not clearly warn that tool results and potentially sensitive parameters may be recorded. This creates a privacy and secret-handling risk because users may unknowingly enable persistent logging of commands, URLs, and other sensitive data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The hook logs full tool arguments during pre-call validation, and those arguments may contain commands, file paths, prompts, credentials, or personal data. Storing them without redaction or disclosure can expose secrets to local users, support personnel, or later forensic access, turning routine operations into a confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The generic logging helper writes arbitrary JSON-serialized context to disk, which can capture user input, tool parameters, error details, and other sensitive runtime information. Because it is centralized and used across the hook, a broad range of confidential data may be retained unintentionally and exposed through the log file.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell the agent to download code from the internet, unpack it, copy it into the skills directory, and mark it executable without any integrity verification, provenance checks, or user warning. This exposes users to supply-chain compromise and unreviewed filesystem modification under the guise of installing security tooling.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README advertises real-time logging, alerts, and audit trails but does not warn that security events may contain sensitive operational details such as commands, URLs, file paths, or snippets of scanned content. In a security skill, this omission can lead operators to enable persistent logging without considering privacy, retention, or access controls, increasing accidental data exposure risk.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The monitoring section exposes a specific persistent log path and encourages tailing the log, but it does not mention privacy, retention, or file permission requirements. This can cause users to store security events indefinitely in a predictable location where local users or other processes may access sensitive telemetry.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation guidance says to use the skill before executing commands, web requests, file operations, and when processing external content, which are broad categories covering many routine agent actions. Overly broad activation can cause the skill to be invoked on large portions of normal workflow, increasing attack surface, operational dependence, and the chance that flawed validation logic becomes a gatekeeper or bypass target.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script logs raw user-supplied commands, URLs, paths, and scanned content metadata into a persistent file under the user's home directory. This can expose sensitive data such as secrets in command arguments, internal URLs, filesystem locations, or other confidential inputs to anyone with access to that account or its backups, and the security context increases the likelihood that especially sensitive material will be processed and retained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal