ClawHub

Node Auto Debugger

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local Node.js project scanner, with clear caveats that it writes a report file and its optional build check runs the target project's build script.

Install only if you want a local scanner for Node.js projects. Expect it to read source files under the selected project and create or overwrite AUTO-DEBUG-REPORT.md. Avoid --build on untrusted repositories unless you review package.json scripts first and run it in a sandbox with minimal secrets available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script unconditionally writes AUTO-DEBUG-REPORT.md into the target project, which is a side effect beyond pure scanning. In a security/debugging context this can overwrite user expectations, modify repositories, and create unintended persistence in analyzed codebases, especially when run against sensitive or read-only projects.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Running `npm run build` executes arbitrary code defined by the target project's package.json scripts, so analyzing an untrusted repository can trigger attacker-controlled commands on the analyst's machine. Because this tool is meant to inspect projects, executing project code materially increases risk and defeats the safety expectation of a scanner.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes a report file into the target project without a clear user-facing warning, creating an undocumented modification to the scanned codebase. This is risky for automation, CI, or forensic analysis workflows where tools are expected to be non-mutating unless explicitly requested.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Even though the build step is optional, invoking `npm run build` on a target project without an explicit safety warning can execute arbitrary shell commands embedded in package scripts. In the context of a debugging skill that may be pointed at untrusted code, this is a meaningful code-execution risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal