ClawHub

Box-KVCache

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is mostly a local, user-run LLM utility, but it needs review because one included loader enables pickle-based NumPy loading, which can execute code if given a malicious compressed file.

Review or patch the NumPy loading code before using compressed cache files from others. If you proceed, install dependencies in a virtual environment, run the scripts as an unprivileged user, and expect them to execute local system/Ollama commands and possibly start a background Ollama service.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI05: Unexpected Code Execution
Medium
What this means

If you load a compressed cache file from someone else, it could run code on your machine with your user privileges.

Why it was flagged

The helper loads a caller-supplied compressed file with pickle enabled. A malicious .npz/.npy object array can trigger arbitrary code execution when loaded; numeric KV-cache arrays do not require pickle.

Skill content
def load_compressed(self, filepath: str):
        data = np.load(filepath, allow_pickle=True)
Recommendation

Change this to allow_pickle=False, validate the expected arrays and shapes, and only load compressed files you created or fully trust.

#
ASI05: Unexpected Code Execution
Low
What this means

Running the checker executes local system commands and may print local model, GPU, and memory information to your terminal.

Why it was flagged

The environment checker runs local shell commands to inspect Ollama, llama.cpp, GPU, and system status. The commands are fixed in the script and align with the stated purpose, but they are still local command execution.

Skill content
subprocess.run(
            cmd, shell=True, capture_output=True,
            text=True, timeout=timeout
        )
Recommendation

Run it from a trusted copy of the skill, preferably in a normal unprivileged shell.

#
ASI10: Rogue Agents
Low
What this means

Ollama may continue running in the background and consuming system resources.

Why it was flagged

The launcher can start Ollama as a detached background service. This is disclosed and relevant to launching local inference, but it may keep running after the command returns.

Skill content
subprocess.Popen(
            ["ollama", "serve"],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
            start_new_session=True
        )
Recommendation

Stop the Ollama service manually when you are done if you do not want it to keep running.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

You rely on whatever package versions your Python package index provides at install time.

Why it was flagged

The setup instructions install unpinned third-party Python packages. These are expected dependencies for numerical compression work, but the artifact does not pin versions or provide an install lockfile.

Skill content
pip install numpy scipy
Recommendation

Install from a trusted package index, use a virtual environment, and consider pinning known-good versions of numpy and scipy.