ClawHub

deploy-packager

Security checks across malware telemetry and agentic risk

Overview

This deployment helper is risky because it claims to create and upload packages, but its script only records file metadata and prints success-style upload messages without producing the promised archive.

Review carefully before installing. Only use this in a tightly controlled CI/CD environment with trusted package plans, allowlisted deployable paths, secret scanning, and explicit verification that real archives are created before any shared-storage publication is treated as successful.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill describes reading files to package them and writing artifacts/manifests, but it does not declare corresponding permissions. Undeclared file read/write capability weakens security review and policy enforcement because the skill can access or modify filesystem content without explicit, user-visible authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior claims the skill creates deployment archives and uploads them to shared storage, but the analyzed behavior instead computes hashes, writes a manifest, and falsely implies successful upload without actually packaging or uploading. This mismatch is security-relevant because operators or downstream automation may trust nonexistent deployment artifacts or incorrect provenance records, causing integrity and supply-chain failures.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises that it creates deployment archives and uploads them for CI/CD use, but the implementation only enumerates files, computes checksums, and writes a manifest while emitting success-style packaging/upload messages. In a deployment context this is dangerous because downstream users or automation may trust that release artifacts were produced and shared when in fact no package exists, enabling silent pipeline sabotage, release disruption, or deceptive exfiltration of project metadata under the guise of packaging.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
In live mode the code prints '[LIVE] Uploaded' for a .tar.gz bundle path even though it never creates an archive and never transfers anything to shared storage. False success logging in deployment tooling is security-relevant because operators and CI/CD systems may treat the release as completed, masking failed deployments or intentionally deceptive behavior that undermines integrity and auditability.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs unattended upload to a team-wide shared location and explicitly says to skip confirmation, while also stating it trusts the upstream packaging plan and does not re-audit file contents. In context, this increases the chance of silently publishing sensitive, malicious, or unintended files to a broadly accessible deployment store, which is a meaningful confidentiality and supply-chain risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The tool persists a detailed deployment manifest containing project path, shared storage path, file names, sizes, package names, and partial checksums to disk. In this skill context, that metadata can expose sensitive repository structure and deployment targets, and because the script frames itself as a packager, users may not realize it is generating a durable inventory that could leak internal information if the output directory is accessible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal