ClawHub

Fix NPM Vulnerabilities

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly about npm vulnerability repair, but it tells the agent to silently install global or OS-level tools without asking first.

Review before installing. The npm vulnerability workflow is coherent, but require the agent to show and get approval for every global npm, winget, or OS package-manager install command, and review all dependency and branch changes before merging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly authorizes silent installation of additional tools before asking the user, which expands execution beyond npm vulnerability guidance into unapproved system changes. Even if intended as convenience, silently invoking package managers can install unexpected software, alter the environment, and increase supply-chain risk without informed consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The guidance omits a clear warning that the workflow may silently install software, preventing the user from making an informed decision about changes to their machine. In a security-related skill, undisclosed installation behavior is especially risky because users may assume the action is limited to auditing and dependency remediation inside the project.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The policy directs the agent to install 'low-risk' tools silently without user opt-in, which is a direct unsafe-action authorization. This is dangerous because trust judgments like 'widely used' or 'official package' do not eliminate supply-chain, typo-squatting, or environment-modification risks, and the skill context makes users more likely to trust the automation because it is framed as a security fix.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal