ClawHub

Mcp Marketplace

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its MCP marketplace purpose, but it can run installed or configured server commands and pass environment-derived secrets during health checks without strong user-facing safeguards.

Install only if you are comfortable reviewing each generated command and config change. Avoid health-checking untrusted MCP configs, use least-privilege tokens, prefer temporary environment variables or a secrets manager over shell-profile exports, and be especially cautious with npm/Smithery packages, Docker mounts, and HTTP endpoints that receive Authorization headers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
merged_env = dict(os.environ)
        merged_env.update(env)

        proc = subprocess.Popen(
            [command] + args,
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE,
Confidence
97% confidence
Finding
proc = subprocess.Popen( [command] + args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=merged_env,

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The Google Drive entry advertises write-capable management of Docs, Sheets, and Slides, but the declared OAuth scope is only drive.readonly. This mismatch can mislead users and higher-level agents into assuming broader authority than is actually granted, causing unsafe automation assumptions, authorization failures, or incorrect trust decisions around data modification.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The Gmail entry claims it can send email, while the OAuth scope listed is only gmail.readonly. This creates a dangerous capability-description mismatch that may cause users or orchestration layers to authorize or invoke the server under false assumptions about what it can do.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The Google Calendar entry says it can create and manage events, but its OAuth scope is only calendar.readonly. This inconsistency can lead to permission confusion, failed operations, and overestimation of what the integration is allowed to do.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This file adds secrets-manager discovery and credential-handling guidance to a skill described as an MCP marketplace/installer, expanding the skill's capability into secret access workflows. That mismatch increases risk because users may grant or trust broader credential-related behavior than the skill's stated purpose suggests, making abuse or accidental overreach more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The INSTALL and UPDATE flows direct the agent to run shell commands and write persistent configuration after limited confirmation, but there is no mandatory user-facing warning summarizing that code will be executed on the host and files will be changed. Because packages may come from npm or Smithery and some are explicitly unverified, this materially increases risk of executing unsafe third-party code or making unwanted system changes.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The DETECT workflow tells the agent to scan the user's system for installed MCP server packages without first warning that local package/config state will be inspected. Even if the scan is limited, it can reveal installed tools and local environment details that users may consider sensitive, so consent should be explicit.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The RECOMMEND workflow instructs project scanning to infer a template from workspace files, but it does not warn the user that files and directory patterns may be inspected. Workspace inspection can expose sensitive project metadata or proprietary structure, so omission of a privacy warning is a real consent issue.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Many entries use broad capability descriptions such as 'manage', 'interact with', or 'access' without clear activation constraints, scope boundaries, or negative examples. In an MCP marketplace skill, this increases the chance of unintended invocation matching or overly broad tool selection by an agent, especially for sensitive services like cloud, email, finance, and infrastructure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to append an export line to their shell profile, which persistently modifies local configuration, but it does so without an explicit warning that this changes future shell sessions. Even though the example uses a placeholder value, this kind of guidance can lead users to permanently store secrets or alter execution behavior without understanding the persistence and security implications.

Missing User Warnings

High
Confidence
98% confidence
Finding
The troubleshooting guide recommends executing a remote installation script via `curl ... | sh`, which directly runs code fetched over the network without prior inspection. This is dangerous because compromise of the hosting site, DNS, TLS trust chain, or the script itself could result in arbitrary code execution on the user's machine.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script enumerates local package installations and reads MCP-related config files from standard user locations, then emits a structured inventory of detected tools. In an agent skill whose purpose is marketplace installation and management, this host reconnaissance is contextually expected, but it still exposes privacy-sensitive environment details if run without clear user disclosure and consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
HTTP health checks resolve headers from configuration and environment variables, then send them to the configured URL without any confirmation or origin validation. In practice this can leak API keys, bearer tokens, or other secrets to attacker-controlled endpoints if a malicious or tampered MCP server definition is checked.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script directly executes the configured command for stdio transports, including commands loaded from .mcp.json, with inherited environment variables and additional resolved env entries. In a marketplace/install-management skill, this materially increases risk because testing a server can become immediate execution of an attacker-supplied binary or script from configuration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The generated shellIntegration strings encourage placing secret-retrieval commands in ~/.zshrc, which causes credentials to be loaded into the shell environment automatically on every session. This broadens exposure because environment variables can leak through child processes, debugging output, crash reports, or accidental command inspection, and the note does not warn users about those tradeoffs.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal