ClawHub

mcp-to-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate MCP-to-skill converter, but it can run and inspect untrusted MCP code, test inferred live commands, and automatically persist generated agent skills without a clear review gate.

Use this only for MCP servers you trust, preferably in a clean sandbox. Review the generated SKILL.md, helper scripts, and any inferred commands before registration; avoid automatic live command tests unless you approve the target and inputs; pin/install dependencies in an isolated environment; and use least-privilege tokens in secrets.json.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # npm pack 下载 tarball
        result = subprocess.run(
            ['npm', 'pack', package],
            capture_output=True, text=True, cwd=str(cache_dir), timeout=60
        )
Confidence
93% confidence
Finding
result = subprocess.run( ['npm', 'pack', package], capture_output=True, text=True, cwd=str(cache_dir), timeout=60 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return None

        # 解压(--strip-components=1 去掉 package/ 前缀)
        extract_result = subprocess.run(
            ['tar', 'xzf', str(tarball), '--strip-components=1'],
            capture_output=True, cwd=str(cache_dir), timeout=30
        )
Confidence
97% confidence
Finding
extract_result = subprocess.run( ['tar', 'xzf', str(tarball), '--strip-components=1'], capture_output=True, cwd=str(cache_dir), timeout=30 )

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill claims it does not execute MCP tool calls or business logic, but it instructs the agent to run inferred equivalent commands against target services. Even if framed as testing, this can trigger real external operations and violates the stated safety boundary, which may lead users to approve actions under false assumptions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Installing Python packages into the runtime environment changes the user's system state and introduces supply-chain and environment-integrity risks. This is especially problematic because the install is automatic and not clearly presented as a separate privileged action requiring user approval.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Removing or assisting with removal of the original MCP configuration is not necessary for conversion and can disrupt user workflows or reduce redundancy that might be needed for rollback. A skill that both creates a replacement and nudges cleanup increases the chance of accidental loss of working configuration.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The skill advertises zero runtime dependencies, but the generation flow may emit helper scripts or commands that require interpreters or external tools. Misrepresenting dependency requirements can cause users to deploy generated skills into environments where they silently fail or prompt unsafe ad hoc fixes.

Missing User Warnings

Low
Confidence
77% confidence
Finding
Writing user-provided schema data to /tmp creates a local artifact that may contain sensitive service structure or operational metadata, and the user is not warned about this persistence. While /tmp usage is common, silent file creation still has privacy and data-handling implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically installing the mcp package without a user-facing warning or approval is a meaningful side effect with supply-chain and system-modification risk. Users may not expect a conversion skill to alter their Python environment, especially on shared or production systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Executing inferred commands for testing can send live external requests based on imperfect analysis, which may disclose data, trigger rate limits, or interact unexpectedly with third-party services. The lack of a prominent warning and opt-in is risky because users may assume generation is offline and non-invasive.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not clearly disclose that it will create directories and files in the working directory and may automatically register the result with the agent. Undisclosed filesystem and agent-state changes are dangerous because they can surprise users and persist beyond the current session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal