ClawHub

Google Colab GPU Runtime

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Colab GPU helper, but it needs review because it can send local Google OAuth tokens and sensitive voice data into remote runtimes.

Install only if you are comfortable with a skill that can run code on Colab, consume Colab resources, read your Colab OAuth token, optionally access Google Drive with drive.file scope, and send voice samples or transcripts to remote services. Use token injection only with scripts you have reviewed, avoid untrusted generated code, stop kept-alive runtimes when done, protect or revoke exposed tokens, and consider pinning dependencies in a separate isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
    print("Bootstrapping .colab-venv...", file=sys.stderr)
    subprocess.check_call(["uv", "venv", VENV_DIR, "--python", "3.12"], stderr=subprocess.DEVNULL)
    subprocess.check_call([
        "uv", "pip", "install",
        "--python", VENV_PYTHON,
        "google-auth-oauthlib", "google-auth", "jupyter-kernel-client", "requests",
Confidence
87% confidence
Finding
subprocess.check_call([ "uv", "pip", "install", "--python", VENV_PYTHON, "google-auth-oauthlib", "google-auth", "jupyter-kernel-client", "requests", "google-api-pyt

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly enables shell execution, network access, and file writes, but it does not declare permissions or prominently warn about those capabilities. In an agent ecosystem, missing permission declarations weakens user consent and policy enforcement, making it easier to invoke powerful actions without adequate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond the stated Colab execution purpose by including ElevenLabs access and, more importantly, injecting a local OAuth token into remotely executed scripts. Description-behavior mismatches are dangerous because users may authorize a seemingly narrow compute skill without realizing it can transmit credentials and interact with third-party services.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill's purpose is to execute code remotely on Google Colab, but it first bootstraps a local virtualenv and installs dependencies on the host machine. That mismatch makes the behavior more dangerous in context because users may expect remote execution only, while the skill performs local modifications and network-based package installation that could be abused through dependency or environment compromise.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill advertises Colab GPU TTS execution but also includes direct ElevenLabs voice-sample retrieval and fallback TTS generation for a cloned reference voice. That expands the trust boundary and enables acquisition or creation of voice-cloning material, which is privacy-sensitive and can facilitate impersonation if used without clear authorization controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code directly integrates with ElevenLabs to enumerate voice metadata, download samples, and generate a fallback reference clip, which goes beyond merely running TTS on Colab. In a skill centered on remote GPU execution, bundling voice-cloning/sample acquisition increases misuse potential and exposes users to privacy and impersonation risks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill instructs users to inject a local OAuth token into scripts that are then sent to a remote Colab runtime, effectively transferring credentials into another execution environment. If that runtime, script, notebook state, logs, or dependencies are compromised, the token could be stolen and used to access the user's Google Drive within the granted scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example explicitly uses an injected Google Drive OAuth token placeholder and demonstrates writing credentials to disk and using them for remote Drive access, but the surrounding markdown does not warn users that sensitive credentials are being injected into remote code execution on Colab. In a skill designed for remote GPU execution, this increases the chance users will unknowingly expose tokens or grant broad file access in a hosted environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The checkpointing example performs authenticated remote Drive operations including listing files, deleting prior checkpoints, downloading stored content, and uploading new files, yet the markdown does not clearly disclose that remote data modification and deletion will occur. Because this skill is specifically intended for Colab and persistent Drive storage, users may reasonably run the example without appreciating that it can overwrite or remove remote files in their account.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script accepts an ElevenLabs API key and immediately transmits it to a third-party service without any explicit notice, consent prompt, or safer secret-handling guidance. While network transmission to the intended API is expected, the lack of disclosure and guardrails can lead to accidental credential exposure or misuse in multi-user environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script base64-encodes and sends reference audio and transcript text to a remote Colab runtime for synthesis without an explicit privacy warning or consent checkpoint. Because voiceprints and transcripts may contain biometric and sensitive personal data, silent remote transfer materially increases privacy risk and potential misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a persistent OAuth token from the user's home directory, base64-encodes it, and injects it directly into a Python script that will be executed remotely. Even though the temporary file is chmod 600 and cleaned up locally, the credential is still embedded in executable content and passed onward without any interactive warning, scope restriction, or assurance that the remote runtime will handle it safely. In a Colab execution skill, this is especially dangerous because the script is intended for remote GPU runtimes and the injected token could be exfiltrated by the executed code or exposed in logs, notebooks, process state, or downstream tooling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The token-bearing temporary script is handed to the Colab execution step, meaning the secret is not merely stored locally but transmitted into the remote execution path. Because this skill is specifically designed to run code on Google Colab, any script content, dependencies, or notebook-side logic can access and potentially leak the embedded token, turning a local secret-handling issue into credential exposure across a less trusted remote environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal