ClawHub

Geordi

Security checks across malware telemetry and agentic risk

Overview

Geordi is a coherent coding-agent mission runner, but its installer and runtime authority need careful review because it installs a PATH command, relies on remote GitHub code, and the reviewed package is missing the CLI executable it claims to install.

Install only after reviewing the GitHub source or using a pinned, inspected checkout. Be aware that Geordi is intended to read local project context, run Codex or Droid, execute verification commands, and write logs/state. Do not use it in repositories containing secrets or sensitive private data unless you are comfortable with that context being included in agent prompts and receipts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the operator to clone a repository, run an installer script, execute shell commands, read local project files, and write state under the repository and home directory, yet it declares no permissions. That mismatch is dangerous because users and enforcement layers may treat the skill as lower-risk than it actually is, reducing scrutiny around filesystem access and command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond the stated high-level purpose by including remote installation from GitHub, PATH-adjacent binary placement, local file harvesting for context, and persistent writes to project and home directories. This is risky because operators may invoke the skill expecting bounded orchestration, while it can introduce supply-chain exposure, collect more local context than expected, and modify the environment outside the target repo.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to execute a shell script fetched directly from the network via curl piped into bash, which prevents meaningful review before execution and creates a supply-chain risk if the remote content, repository, tag, or delivery path is compromised. In this skill's context, the risk is elevated because the tool is meant to install and run automation that interacts with local repositories and developer tooling, so a compromised installer could gain broad access to source code, credentials in the environment, or modify local binaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script deliberately prints the contents of a project context file and additional repository metadata such as package details, testing/PRD excerpts, and recent git history to stdout for prompt injection into downstream build tasks. If that output is shown to an LLM, logged, persisted in receipts, or sent to a remote runner, it can expose sensitive internal information without any consent gate, redaction, or scope control.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal