ClawHub
Back to skill

Security audit

sausg

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for SAUSG automation, but it can delete broad sets of files by default and runs local programs through shell commands using user-provided paths.

Install only if you trust the local SAUSG installation and understand that running calculations may start local executables and delete files in the selected model directory. Prefer using --no-cleanup, back up project folders first, and avoid model or SAUSG paths from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tuple: (returncode, stdout, stderr)
    """
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, encoding='utf-8', errors='replace' )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # 启动进程
        process = subprocess.Popen(
            cmd,
            shell=True,
            stdout=subprocess.PIPE,
Confidence
99% confidence
Finding
process = subprocess.Popen( cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=SAUSG_DIR )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except Exception as e:
        # 备用方案:使用系统默认编码
        try:
            result = subprocess.run(
                cmd,
                shell=True,
                capture_output=True
Confidence
97% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # 启动进程
        process = subprocess.Popen(
            cmd,
            shell=True,
            stdout=subprocess.PIPE,
Confidence
98% confidence
Finding
process = subprocess.Popen( cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=SAUSG_DIR )

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises shell execution and file-reading behavior through example commands and operational guidance, but it does not declare any permissions or trust boundaries. This can cause the agent or reviewer to underestimate the skill's ability to access local files and launch executables, increasing the chance of unintended command execution against user-supplied paths.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as an automation and result-reading tool, but it performs destructive cleanup in the model directory by default before calculation. That hidden side effect can erase prior results or unrelated working artifacts, making the capability significantly more dangerous than the stated purpose suggests.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The cleanup list includes broad, generic extensions like .TXT, .DAT, .CSV, .jpg, and .png for any file in the model directory, not just files generated by SAUSG. In a real project directory this can destroy user notes, datasets, plots, and documentation unrelated to the computation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
For an analysis/result-reading skill, invoking arbitrary shell commands for directory search and process inspection is broader than necessary and expands the attack surface. The context makes this more dangerous because the skill already accepts user-supplied paths and is intended to run on end-user systems with local file access.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description contains broad activation criteria covering many generic engineering tasks and multiple product names, which can cause the skill to trigger outside a narrowly intended context. Over-triggering is dangerous here because the skill's documented behavior includes opening local models, running calculations, and reading result files via shell commands.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The natural-language trigger phrases are ambiguous and include generic terms like nonlinear analysis, seismic isolation, strengthening, steel analysis, and viewing results, any of which may appear in ordinary discussion rather than an instruction to operate software. Because this skill is designed to invoke scripts and interact with local files, ambiguous matching raises the risk of unintended activation and unsafe actions on the wrong project or path.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Destructive cleanup is enabled by default and runs before calculation without explicit user confirmation. In a local engineering workflow this can cause immediate, irreversible loss of files and result directories, especially since users may expect a compute tool to be non-destructive.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.