ClawHub

任务打断机制

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed task-stop helper, but it gives agents broad interrupt and process-signaling authority without enough scoping or input hardening.

Install only if you need agent interruption controls and can restrict who may trigger them. Before use, validate session IDs, avoid shell interpolation, bind stop requests to the correct owned session/process, protect /tmp flag files from tampering, and keep checkpoints free of secrets with a clear cleanup policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation explicitly states that only the current session's stop flag should be deleted, but the sample implementation builds the deletion path from flag.sessionId taken from file contents rather than enforcing this.sessionId. If an attacker can create or tamper with a flag file, the agent could delete another session's interrupt flag, interfering with task control and enabling cross-session disruption or denial of service.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill is documented as an interrupt/checkpoint mechanism, but it also instructs the main agent to invoke shell commands and send SIGINT to a process. That expands the capability from passive state management into active OS-level control, which can terminate the wrong process, create command-injection risk if sessionId/reason are not safely handled, and cause unintended side effects on the host.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The documentation emphasizes graceful interruption and avoiding unhandled exceptions, but the provided example does not show error handling around the shell execution or process signaling path. Failures in exec or process.kill can leave stale flag files, inconsistent checkpoints, or partial shutdown states that undermine the reliability of the interruption mechanism.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script writes attacker-influenced content to a predictable file path under /tmp using an unsanitized session ID. In a multi-user environment, predictable temporary-file creation can enable symlink or path-manipulation attacks, and unescaped JSON fields can also produce malformed output or unsafe downstream processing if other components trust the flag file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal