ClawHub

S2G - General Purpose Workflow Engine

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real S2G integration, but it exposes powerful workflow controls through an unauthenticated network-accessible bridge by default.

Install only if you trust the S2G workflows and nodes you connect. Run the bridge behind a local firewall or change it to bind to 127.0.0.1, add authentication before exposing the port, set an S2G Auth Secret, avoid connecting destructive or production database/custom nodes unless needed, and treat bridge logs as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The operations guide documents a local HTTP control/status API (`/health`, `/status`) even though the skill is described primarily as a WebSocket bridge. Exposing an additional management surface increases attack surface and may leak workflow metadata, connection state, node inventory, and error details to any process or host that can reach the listener.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented `/reconnect` and `/refresh` endpoints are control operations and appear unauthenticated. If reachable by another local user, container peer, or remote host due to broad binding, an attacker could repeatedly disrupt service, force reconnections, or manipulate operational state, creating a denial-of-service and potential workflow confusion channel.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The bridge exposes a control surface over HTTP that can execute any discovered S2G node and trigger refresh/reconnect operations, yet there is no authentication or authorization on these endpoints. Because it binds to 0.0.0.0 and enables CORS for all origins, other local users, containers, or reachable network clients may invoke workflow actions that exceed the stated purpose of simply connecting to S2G over WebSocket.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The /status endpoint reveals the S2G host, node ID, connection timing, error state, pending requests, and the full discovered node inventory with output parameters. This information materially helps an attacker enumerate available capabilities and target subsequent unauthorized execute calls against the unauthenticated API.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes broad remote execution of workflow nodes, data pushes, workflow management, and schema discovery without prominently warning users that this can expose sensitive data and give a remote service influence over local agent behavior. In the context of an agent skill, these capabilities materially increase privacy, integrity, and operational risk because connected workflows may trigger database queries, cloud actions, or knowledge-base access with few described guardrails.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation promotes broad execution of remote workflow nodes, including databases, knowledge bases, and custom nodes, without clear user-facing warnings about destructive operations or data sensitivity. In this context, the bridge can become a generic remote action surface where users may unknowingly expose credentials, query production systems, or trigger harmful workflow steps.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Input Forwarding and Manual Payload features are documented as normal behavior without an explicit warning that upstream workflow data will be pushed to all connected agents. That creates a real confidentiality risk because webhook data, scheduler outputs, or processed records may be broadcast to connected clients unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The bridge HTTP API exposes execution, status, refresh, and reconnect endpoints without any documented authentication or authorization controls. Because connected S2G nodes can include database, knowledge, and custom actions, an unauthenticated local API can become a powerful proxy for arbitrary sensitive or destructive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs users to read the API key from a local credentials file and reuse it in shell commands, but it provides no warning that this value is a sensitive secret that should not be logged, echoed, shared, or committed. In an agent/automation context, normalizing direct file-based secret extraction increases the risk of credential disclosure and misuse across later commands or transcripts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API reference exposes destructive DELETE operations for workflows, nodes, connections, and connections/auth records without clearly warning that these actions may be irreversible and can disrupt running automations. In operational environments, this can lead to accidental data loss or service interruption when an agent or user follows the docs literally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Knowledge Base section documents mutating operations such as AddEntity, UpdateEntity, DeleteEntity, AddRelation, and RemoveRelation without warning that they alter or remove stored knowledge. In a tool-execution setting, an agent could unintentionally modify persistent organizational data, causing integrity issues or loss of important information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The AI generation section states that generated workflows are immediately persisted, but this side effect is easy to miss and is not prominently framed as a creation/modification action. That can cause unexpected workflow creation and later execution of AI-produced automation artifacts that the user did not intend to save.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The connections section covers OAuth tokens and API keys, which are highly sensitive credentials, but lacks an explicit warning about secure handling, storage, rotation, and exposure risk. In agent workflows, insufficient secret-handling guidance can lead to credential leakage into logs, prompts, exports, or insecure configuration files.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The example shows passing an API key directly on the command line via a header expression. Even with `$KEY`, the documentation does not warn about shell history, environment leakage, process inspection, or safer secret-handling practices, which can lead to accidental credential exposure on multi-user systems or in logged command transcripts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document states the bridge HTTP API binds to `0.0.0.0`, which exposes status and control endpoints on all interfaces unless separately firewalled. In the context of this skill, that materially increases risk because the same API includes operational introspection and state-changing actions like reconnect/refresh.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly states that if the Auth Secret is blank, the WebSocket connection is open and unauthenticated, but it does not warn users about the security consequences of exposing workflow execution without authentication. In the context of this skill, that is dangerous because the bridge can execute workflow nodes including database queries and custom nodes, so an operator may inadvertently deploy a remotely accessible control surface without access controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The HTTP API provides remote-action endpoints such as /execute, /refresh, and /reconnect without any access control, confirmation, or safety interstitial. In the context of this skill, discovered S2G nodes may include custom nodes, database queries, knowledge-base actions, or other sensitive workflow operations, so exposing them over a network listener creates a broad unauthorized command surface.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal