ClawHub

System Maintenance Test

Security checks across malware telemetry and agentic risk

Overview

This maintenance skill has a plausible purpose, but it asks users to run unreviewed external maintenance scripts that can create recurring jobs, change files, restore backups, and restart services without clear safeguards.

Review before installing. Inspect the GitHub repository and installer scripts at the exact version you intend to run, confirm which cron jobs, files, logs, services, backups, and .learnings entries will be changed, and make sure you know how to disable the automation and restore current state before running setup or emergency recovery commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents operational commands such as installation and maintenance execution without any explicit warning that they may modify system state, install scheduled tasks, change permissions, or interrupt services. In a maintenance skill, these actions are expected, but the lack of safety guidance increases the chance that a user will run impactful commands blindly and cause downtime or unintended changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The emergency recovery examples include restore and process-kill/restart commands that can overwrite current state and terminate running services, yet the documentation does not warn about data loss, rollback implications, or service interruption. Because these are framed as quick recovery steps, users may execute them under stress without understanding the impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal