ClawHub

Keldron — GPU & Hardware Monitor Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate GPU monitoring skill, but it can install and keep running external software, expose monitoring ports, and persist cloud API keys with too little scoping and confirmation.

Install only if you intentionally want a real Keldron monitoring agent running on this machine. Prefer interactive login over writing API keys into YAML, use a revocable key, confirm before any download, Docker run, process kill, or long-running watch loop, and bind or firewall local ports unless you intentionally want network access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to read cloud API credentials from environment variables and local credential/config files. Accessing and handling secrets is sensitive behavior because it expands the agent's reach into stored authentication material and can enable unintended use of those credentials for outbound cloud requests.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The auto-setup flow downloads and executes a binary from GitHub or starts a container from GHCR on the user's machine. This is dangerous because it combines remote code retrieval with immediate execution and no integrity verification, creating supply-chain and arbitrary code execution risk if the artifact source is compromised or the user did not clearly intend installation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document warns not to paste full API keys into the skill, but then provides commands that write the raw API key directly into a YAML file. Persisting plaintext secrets to disk increases exposure through backups, local compromise, shell history mishandling, and accidental disclosure.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The auto-setup trigger phrases are broad and conversational, such as requests to 'help me set up' or 'monitor my hardware'. In an agent setting, broad triggers can cause unintended activation of installation and execution flows, which is risky because those flows perform network downloads and start software.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends storing an API key under `~/.config/keldron/keldron-agent.yaml` without a clear warning that this writes sensitive credentials to disk. Users may not understand the persistence and disclosure implications, especially on shared systems or where home directories are backed up or inspected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal