ClawHub

饺子安全扫描

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local security scanner, but its results can be misleading because it skips important code directories and lowers risk based on weak name/path trust checks.

Install only if you want a heuristic local scanner and are comfortable with it reading the selected skills folder. Keep the scan path limited, review reports before sharing them, and do not treat a clean result or official/system trust label as proof that another skill is safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The documented behavior extends beyond narrow 'skill security scanning' into arbitrary content moderation-style scanning, prompt-injection detection, and trust scoring based on heuristics. That scope expansion can mislead users about what data the tool may process and how conclusions are derived, creating a security and governance risk because operators may run it on broader or more sensitive text than intended and over-trust its ratings.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The implementation materially diverges from the advertised purpose of a security scanner for sensitive operations and backdoors. Instead of inspecting for code-execution, exfiltration, or persistence behavior, it performs phrase-based content scanning for ads/scams, which can mislead users into believing a security audit occurred when real malicious logic would go undetected.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Scanning arbitrary text and documentation for promotional/scam phrases is not inherently dangerous by itself, but in this skill context it is a misleading and unjustified capability because it substitutes unrelated checks for actual security analysis. That creates a false sense of protection and increases the chance that malicious skill behavior is missed during review.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The scanner reduces or suppresses risk based on path/name trust heuristics rather than the observed dangerous behavior. In a security scanner, this creates a bypass: a malicious skill placed under a trusted-looking path or given a whitelisted name can be reported as lower risk despite matching dangerous patterns.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The implementation maintains an internal whitelist of 'official' skills and assigns higher trust based on skill name and install path, then later lowers the reported risk for those skills. This undermines the scanner's core security purpose because an attacker who can control naming or placement may evade accurate reporting, and genuinely risky official skills would also be under-classified.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal