ClawHub

loopai-app-publish

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its App Hub publishing purpose, but its debug mode can expose the user's App Hub token while performing account-changing operations.

Install only if you trust this skill to use your local App Hub token to create, read, and update listings. Do not use --verbose unless token redaction is fixed, review app IDs and JSON batch files before running, and use public app URLs only for validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
(is_accessible: bool, status_code_or_error: str)
    """
    try:
        result = subprocess.run(
            [
                'curl', '-s', '-o', '/dev/null',
                '-w', '%{http_code}',
Confidence
91% confidence
Finding
result = subprocess.run( [ 'curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', '-L', # follow redirects '--max-t

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly describes capabilities that invoke shell commands (`curl`), perform network access to external URLs and APIs, and read local files (`--json-file`), yet no permissions are declared. This creates a transparency and governance gap: users or hosting platforms cannot accurately constrain or review what the skill is allowed to do, increasing the chance of unintended network access, SSRF-like URL fetching, or unsafe shell execution paths in the backing script.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description presents the skill primarily as a publishing tool, but the documented behavior also includes reading existing app details and modifying existing records, including metadata, screenshots, pricing, visibility, and communities. This mismatch is security-relevant because users and policy engines may grant trust based on a narrower stated purpose, while the skill actually supports broader state-changing operations against existing resources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Verbose logging prints the full request headers, including the authentication token, to stderr during app creation. Any user, log collector, CI system, terminal history capture, or support bundle with access to debug output can recover the token and impersonate the account for unauthorized reads or modifications.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The detail retrieval path also prints request headers containing the authentication token when verbose mode is enabled. This creates the same credential exposure risk across a read operation, and the token can then be reused for broader authenticated API access beyond the original request.

Missing User Warnings

High
Confidence
99% confidence
Finding
This finding correctly identifies direct exposure of the authentication token in request-header debug output. In the context of an agent skill, verbose mode may be enabled during troubleshooting or automation, making credential leakage especially dangerous because logs are often shared or stored centrally.

Missing User Warnings

High
Confidence
99% confidence
Finding
The GET detail request logs headers that include the bearer-equivalent token, exposing credentials to anyone with log access. Because this operation may appear harmless, operators may enable verbose mode more casually, increasing the chance of token disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The update request path also logs the full authentication header set, exposing the token during modification operations. An attacker obtaining this token could perform unauthorized updates, create entries, or access protected API endpoints depending on backend permissions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal