ClawHub

MyAider Skill Importer

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent MyAider skill importer, but it can persistently create or overwrite local agent skills from remote MCP content without requiring a full review of the generated files.

Install only if you trust your MyAider MCP server and the skills it returns. Prefer selecting individual skills instead of importing all, review generated SKILL.md files before accepting upgrades, and keep backups of existing skills because updates may overwrite them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The skill directs the agent to enumerate available tools to discover the MyAider server name, which expands visibility beyond the minimum capability needed for the task. While this is framed as a compatibility step rather than exfiltration, broad tool discovery can reveal unrelated integrations or capabilities and increases attack surface if a downstream prompt or tool output is adversarial.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The upgrade workflow requires scanning all local skills to find those tagged with `source: myaider`, which grants broader read access to local files than is strictly necessary. In context this is used for legitimate version comparison, but it still creates unnecessary exposure to unrelated local skill contents and metadata.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to create and overwrite local skill files via `skill-creator` but does not clearly warn that this modifies files on disk or may replace existing content. Even with a confirmation step, users may not understand the extent of filesystem changes, increasing the risk of accidental overwrite or installation of unsafe generated skills sourced from remote content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal