ClawHub

boc deploy

Security checks across malware telemetry and agentic risk

Overview

This deployment skill is not deceptive, but it asks for root SSH credentials and can start broad infrastructure changes with limited safety guidance.

Install only if you intend to let an agent perform a real BOC/Kubernetes deployment. Before running it, review the generated config.yaml, confirm every target IP and role, prefer SSH keys or temporary credentials over passwords, avoid exposing credentials in logs or transcripts, monitor the background job, and remove or protect any config file containing passwords after deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly automates generation of configuration files and execution of a deployment workflow that changes remote systems, but the description does not prominently warn that it performs destructive or persistent system changes. In an agent setting, insufficient disclosure increases the risk that a user invokes the skill without understanding that it will alter infrastructure and start a lengthy installation process.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requests an SSH password as an input parameter without any guidance on secure handling, masking, storage avoidance, or preference for safer authentication methods. Because this skill connects to privileged infrastructure hosts, collecting raw credentials creates material risk of credential leakage through logs, prompts, transcripts, or downstream tooling.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
cd /opt/BOC_k8s_noarch
nohup ./bocctl run -a install -c /root/config.yaml > log/bocctl.log 2>&1 &
```

部署过程约 40-60 分钟。
Confidence
87% confidence
Finding
nohup

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal