ClawHub

Easycode Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Java code-generation skill, but it needs Review because it can save database passwords in plaintext and optionally run local project commands.

Install only after reviewing the credential and command-execution behavior. Use a least-privilege database account, avoid production passwords, do not save or show state if it may contain secrets, inspect .easycode-skill/state.json after use, and only enable --run-project-format or project_format_command for commands you fully trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for cmd in commands:
        try:
            proc = subprocess.run(
                cmd,
                cwd=str(project_root),
                capture_output=True,
Confidence
97% confidence
Finding
proc = subprocess.run( cmd, cwd=str(project_root), capture_output=True, text=True, )

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill states that plaintext passwords must not be stored, but then says interactive mode persists `pass` for next-run defaults, which directly contradicts the stated memory policy. If implemented as documented, database credentials could be written to local state and later exposed through file reads, logs, backups, or reuse by unintended users/processes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Allowing `generation_config.project_format_command` to specify custom command(s) introduces an arbitrary command-execution path unrelated to the core need of generating code from templates. In the context of an agent skill that already shells out, this broadens the attack surface substantially because user-controlled or state-derived values could trigger execution of dangerous local commands.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill's documented behavior includes running project formatter commands, which extends its effective scope from planning/generating files into executing project-local tooling. That mismatch matters because users may invoke the skill expecting deterministic generation, while the skill may also run build or formatter actions that modify files or execute additional code paths in the repository.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The schema explicitly permits a user-supplied `project_format_command` string or argument array to be executed after code generation. That extends the skill from data-driven code generation into arbitrary command execution in `project_root`, creating a direct command-injection / unsafe capability exposure risk if untrusted input reaches the tool. In this skill context, that is more dangerous because the feature is framed as a normal part of generation and could run inside a developer workspace with access to source code, credentials, and build tooling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly supports arbitrary formatter commands from configuration and executes them as subprocesses, which exceeds a database-to-Java generation helper's stated purpose. This allows command execution under the user's account and can be abused to run any program, not merely format generated code.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Auto-running gradlew or mvnw is dangerous because those wrapper scripts are project-controlled code, not trusted formatting primitives. In the context of generating code into an arbitrary project tree, this can execute attacker-supplied wrapper scripts from a compromised repository and lead to full code execution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The spec-template command emits realistic default credentials and an environment-specific Oracle URL, which risks accidental credential reuse and leaks sensitive internal infrastructure details. For a generic helper, shipping such values is unsafe because users may run with defaults or expose them in logs, histories, or screenshots.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template-exposed Tool.getField method allows a Velocity template to use reflection to read arbitrary fields from objects, including private fields via setAccessible(true). In a system that renders potentially user-influenced templates and exposes rich Java objects to the template context, this breaks normal encapsulation and can disclose internal state beyond what code generation requires.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default prompt is broad enough to trigger on generic requests about generating Java files from database tables, without clear constraints on when the skill should activate or what safety boundaries apply. In a code-generation skill that consumes database configuration and remembers prior settings, overbroad invocation can cause unintended activation, exposing stored context or initiating sensitive code-generation workflows when the user did not explicitly request them.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Interactive execution persists the merged state, including db_connection.pass and other connection details, to a local JSON file without warning, masking, or protection. This creates a local secret-at-rest exposure and increases the chance of accidental disclosure through backups, repository commits, multi-user systems, or later inspection.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The state --show command prints the entire saved state, including database credentials, directly to stdout. That can expose secrets to terminal history, logs, recordings, or any caller capturing command output, with no masking or confirmation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
In the non-interactive execute path, enabling run_project_format can trigger execution of configured arbitrary commands or project wrapper scripts without any warning at execution time. Because this skill is expected to generate files, hidden command execution materially increases danger and may surprise callers that treat it as a data-processing tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal