ClawHub

93pct

Security checks across malware telemetry and agentic risk

Overview

This skill is a planning helper, but it quietly reads finance, wallet, draft, and secret-adjacent local state and writes a task database without clearly disclosing that scope.

Review before installing. Only run this in an environment where it is acceptable for the skill to inspect local finance and wallet state, check for draft and secret-related files, and write task state to an agency database. Treat the suggested GCP, Gmail, Cash App, BTC, and publishing actions as specific to the publisher's workflow rather than a general-purpose autocomplete system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises no declared permissions, yet the implementation reportedly uses file reads and shell-capable behavior. That creates a trust gap: users and hosting systems cannot accurately assess what the skill can access or execute, increasing the chance of unintended local data exposure or command execution in environments that rely on manifest-level declarations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill description claims a generic planning/autocomplete function, but the reported behavior includes reading local databases and status files, checking for secret/config files, and modifying SQLite state. This mismatch is dangerous because it can cause operators to authorize a seemingly harmless planning tool that actually performs sensitive local inspection and persistent state changes beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata promises a narrow behavior—returning exactly one approved job ID—but the implementation also initializes and mutates a persistent task database and supports marking tasks done. This mismatch expands the skill from suggestion-only into state-changing workflow management, which can mislead operators and downstream systems about what the skill is allowed to do.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code builds, stores, and displays a ranked list of multiple next steps, directly contradicting the description that it 'always outputs exactly one job ID to approve.' Contract violations like this are dangerous because orchestrators may trust the manifest and route the output into automation that assumes a single approved action, creating ambiguity and unintended execution paths.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill reads external financial and operational state, including BTC wallet balances, confession counts, and the presence of secret files, even though a next-step suggestion tool does not clearly require that breadth of access. This violates least privilege and can expose sensitive environment details that help an attacker profile assets, infer credential availability, or tailor follow-on abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently reads sensitive financial and personal-adjacent state from local databases and files without any user-facing notice, consent boundary, or transparency in its stated purpose. In this skill context, that makes the behavior more dangerous because the tool is presented as simple autocomplete, not as an inventory or monitoring component with access to wallets, confessions, and secret-related state.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal