ClawHub

mcp-builder

Security checks across malware telemetry and agentic risk

Overview

This MCP development guide is coherent and purpose-aligned, but its optional evaluator can expose tool results to Anthropic and saved reports.

Reasonable to install as an MCP development aid. Before running the evaluator, use staging or sample data where possible, avoid production secrets or personal data, review any generated tools for destructive actions, and add path and command safeguards before copying the riskier examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation description is broad enough that the skill may trigger in many coding contexts involving APIs, external services, or MCP, increasing the chance it is applied when not appropriate. Over-broad activation can cause unintended web access, excessive documentation fetching, code generation, or creation of network-enabled tooling in contexts where the user only wanted narrow advice.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document includes an `execute_command` example that normalizes exposing shell execution as a tool, but does not place an explicit warning at the example site about mandatory user approval, strict argument allowlisting, and the high risk of command injection or arbitrary code execution. In a best-practices guide for MCP builders, examples strongly influence implementation choices, so omission of warning guidance can lead downstream developers to ship unsafe command-execution tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The `delete_file` annotation example demonstrates a destructive operation without nearby guidance that such tools require strong user confirmation, authorization checks, and filesystem scope restrictions. Because this file is a normative best-practices reference, presenting deletion as a straightforward example without guardrails may encourage unsafe implementations that permit accidental or malicious data destruction.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The resource example models document access using a `file://documents/{name}` URI and directly loads content based on a captured path segment, but it provides no authorization, path normalization, or access-control guidance. In an MCP context, developers may copy this pattern into real file-backed handlers, creating unintended document disclosure or path traversal style issues if resource names are attacker-controlled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The resource example reads a local file path derived directly from a template parameter (`./docs/{name}`) with no path normalization, allowlist, or traversal checks. In a guide for building MCP servers, this can propagate insecure patterns into real implementations and enable reading unintended local files if developers copy the example.

Ssd 3

Medium
Confidence
98% confidence
Finding
The system prompt explicitly instructs the model to include every tool input and output in <summary> tags, and those summaries are then captured in results and written into the final report. If tools process secrets, personal data, tokens, headers, or proprietary content, the harness will encourage the model to echo that data back into logs and persisted reports, creating a direct confidentiality risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal