ClawHub

swanlog

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses the local SwanLab login to download experiment logs and profile files into a local folder.

Install only if you are comfortable letting an agent use your existing SwanLab login to fetch experiment data. Treat exported config, metadata, requirements, and metrics as potentially sensitive, and choose the output directory carefully, especially if it is synced or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to execute a local Python script, capture stdout/stderr, read generated files, and rely on environment variables, but the skill metadata declares no permissions. This creates a transparency and policy-enforcement gap: a reviewer or runtime may underestimate the skill's access to local files and environment-derived secrets, increasing the chance of unsafe execution in sensitive contexts.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README explicitly says to trigger this skill aggressively for broad SwanLab-related requests, which increases the chance an agent will invoke it without a clear, fresh user confirmation. In this skill's context, invocation causes network retrieval using local cached credentials and writes remote data to disk, so over-broad triggering can lead to unintended credential-backed access and data exfiltration into the local workspace.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README normalizes automatic use of cached credentials and remote retrieval without clearly warning that the skill will access ~/.swanlab/.netrc and contact SwanLab on the user's behalf. In an agent-skill setting, that missing disclosure is dangerous because users may think they are asking for analysis only, while the agent performs authenticated network actions and downloads potentially sensitive experiment artifacts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README explicitly says the skill should auto-trigger aggressively for broad natural-language requests like '拉一下 swanlab' or 'pull the latest swanlab run'. In this skill's context, auto-triggering is risky because execution causes authenticated access to SwanLab and writes remote run data to local disk, so an ambiguous conversational mention could unintentionally initiate credentialed data retrieval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the skill logs in using credentials automatically read from ~/.swanlab/.netrc, but it does not present this as sensitive credential use requiring explicit user awareness or consent. In an agent skill, silent use of stored credentials is dangerous because a user may believe they are asking for analysis while the agent is actually performing authenticated network access on their behalf.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text says to use this skill 'aggressively' for any read-side SwanLab interaction, including broad natural-language cues. Over-broad activation increases the likelihood the agent will run code and pull remote experiment data when the user only wanted discussion, triage, or high-level help, causing unnecessary data retrieval and local persistence of potentially sensitive experiment metadata and requirements.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script intentionally exports full experiment profile data, including config, metadata, requirements, and run_info, to local disk in one shot. In ML environments these artifacts often contain sensitive information such as repository URLs, internal hostnames, usernames, hardware details, dataset paths, and occasionally secrets embedded in configs or environment-derived metadata, so saving them by default can cause privacy or data-handling exposure if the output directory is shared, synced, or archived.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool uses the locally logged-in SwanLab account and performs authenticated network requests, but the user-facing flow does not prominently disclose that it will use stored credentials to access remote data. In an agent skill context that is triggered aggressively for read-side interactions, implicit use of existing credentials increases the chance of surprising data access or retrieval under the wrong account/project context.

Credential Access

High
Category
Privilege Escalation
Content
给定一个实验 ID(或 `--latest`),这个 skill 会:

1. 通过本地 `~/.swanlab/.netrc` 凭据登录 SwanLab。
2. 拉取实验的 `metrics`(整理成 `metrics.csv`)、解析后的 `config.yaml`、`metadata.json` 快照,以及 `requirements.txt`。
3. 全部保存到 `./swanlog_<YYYY-MM-DD_HH-MM-SS>/`,命名使用 `run.created_at` —— 因此对同一个 run 重复拉取**目录名稳定**(幂等)。
4. 返回一屏简报:run 名称 / 状态 / URL / 最新 train & val loss。
Confidence
94% confidence
Finding
/.netrc

Credential Access

High
Category
Privilege Escalation
Content
之后在任意 Claude Code 会话里,让 Claude "拉一下 swanlab" / "pull the latest swanlab run" 等,skill 会自动触发。

> **认证**:只要你在终端执行过一次 `swanlab login`,凭据就会缓存在 `~/.swanlab/.netrc` 里 —— skill 会自动读取,无需额外配置。

### 作为独立 CLI
Confidence
95% confidence
Finding
/.netrc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal