ClawHub

Agent Ping

Security checks across malware telemetry and agentic risk

Overview

This is a transparent network-discovery helper with some privacy and authorization caveats, but no evidence of hidden access, persistence, credential use, or malicious behavior.

Install only if you are comfortable running a shell-based network discovery tool. Use it on domains you own or are authorized to test, expect outbound HTTP/DNS traffic and a possible ping to a discovered hub, and review any registration, AGENTS.md append, or follow-on install commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises shell-based behavior and direct network-scanning capability but does not declare permissions or clearly scope what external access it requires. In agent environments, undeclared shell/network capability reduces transparency and can cause the skill to be invoked without appropriate user awareness or policy enforcement.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill is framed as being able to scan "any domain" and discover agents across the internet, without narrowing to user-owned targets or requiring proof of authorization. That broad invocation language increases the chance an agent will perform unsolicited reconnaissance against third-party systems, which can violate policy or trigger abuse concerns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration instructions send structured data to an external service via POST, but there is no warning that the agent name, description, capabilities, and possibly identifying metadata will be disclosed to a third party. In an agent skill, silent encouragement of outbound registration can lead to unreviewed data sharing and external account linkage.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs users to append metadata to AGENTS.md/AGENT.md, modifying local workspace files without warning about persistent changes. Even though the content appears informational, hidden or persistent changes to repository files can affect discoverability, leak service endpoints, and alter project behavior or metadata unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# ClawSwarm (largest open hub)
curl -s -X POST "https://onlyflies.buzz/clawswarm/api/v1/agents/register" \
  -H "Content-Type: application/json" \
  -d '{"name":"YourName","description":"What you do","capabilities":["your","skills"]}'
```
Confidence
96% confidence
Finding
curl -s -X POST "https://onlyflies.buzz/clawswarm/api/v1/agents/register" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal