ClawHub

clawrent-testing

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims at a high level, but one expired rental can erase all Telegram allowlist entries instead of only that rental.

Review before installing. Use it only if you intend Clawrent API state to automatically control Telegram pairings, protect CLAWRENT_TOKEN, keep CLAWRENT_URL pointed at a trusted endpoint, and fix or knowingly accept the risk that one expired rental can clear the full Telegram allowlist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares `command-tool: exec` with raw shell execution and explicitly runs a Bash script, but it does not declare any permissions despite having shell capabilities. This creates an authorization and review gap: a caller or platform may treat the skill as lower risk than it actually is, while the script can make network requests, use secrets from `CLAWRENT_TOKEN`, and invoke local binaries with side effects.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The expired-rental path overwrites the entire Telegram allowlist with an empty array instead of removing only the entry associated with the expired approval. In this skill's context, that can revoke access for all currently valid pairings and create an easy denial-of-service condition if the remote API returns any expired item, whether due to mistake or tampering.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The log says a specific expired lease is being revoked, but the implementation clears the full allowlist. This mismatch is dangerous because it conceals the true destructive behavior from operators, making troubleshooting and incident response harder and increasing the chance that unintended mass revocation goes unnoticed.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal