ClawHub

skillhub-auto-installer

Security checks across malware telemetry and agentic risk

Overview

The skill presents itself as a read-only Skillhub search helper, but the package also contains installer and local-audit scripts that can modify the agent environment.

Install only if you are willing to treat this as an installer/auditor package, not just a search helper. Use only search.sh for read-only searching, and do not run install.sh or secure-install.sh unless you have reviewed the target skill and accept that it will download remote content and write it into the agent workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares that it is search-only and does not perform installation or local file operations, yet the analysis indicates shell capability is present without any declared permissions. Undeclared shell access is dangerous because it can execute arbitrary commands, reach the network, and interact with local resources beyond the stated trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a clear description-behavior mismatch: the skill claims to only search, but the detected behavior includes remote installation, local directory access, local file reads, audit-script execution, scanning installed skills, and writing report files. Such hidden capability expansion is dangerous because users and policy engines may grant trust based on the benign description while the skill can modify the local environment and pull untrusted code from remote sources.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script performs real installation actions by invoking `npx ... skills add ... --copy` after `cd /home/gem/workspace/agent`, which directly contradicts the skill metadata claiming it only searches and does not perform installation or local file operations. This mismatch is dangerous because users or automated systems may grant trust based on the declared scope, while the script actually fetches remote content and writes it to the local filesystem.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code gives the skill an undeclared capability: downloading a remote package from `skills.volces.com` and copying it into the local environment. In the context of a supposedly search-only skill, this expands the trust boundary and can lead to unexpected code or content being introduced into the agent workspace.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script comments describe an installation workflow, while the published skill description says the skill only searches and performs no installation or local file operations. This documentation inconsistency is a security issue because reviewers, users, and policy systems can be misled about the actual behavior and risk profile of the skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says it only searches/discovers skills and performs no local operations, but this script inspects the local environment, checks network reachability, searches local filesystem paths, and executes a local shell script. That mismatch is security-relevant because users and policy systems may grant trust based on the declared search-only behavior while the code performs materially broader actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Although framed as a safety check, the script directly supports the installation workflow by locating an auditing tool, invoking it, and emitting a ready-to-run remote install command. In the context of a search-only skill, these installation-adjacent capabilities expand the attack surface and can be abused for social engineering or to trigger unintended local code execution through a trusted discovery interface.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The comments claim the script is 'check only, not install', but the script meaningfully drives installation by enforcing prerequisites, running an audit helper, and printing a concrete install command for the selected remote skill. This misleading framing can cause operators to underestimate the security significance of the script and approve execution they would otherwise scrutinize more carefully.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script explicitly installs a remote skill via `npx skills add` even though the skill metadata says it only searches/discovers skills and performs no installation or local file operations. This mismatch is dangerous because users and higher-level agents may grant it broader trust or invoke it in contexts where installation side effects are not expected, enabling unintended code and content to be brought into the local environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script writes audit output to `/tmp/pre-install-audit.json` and later inspects local files under the skills directory, contradicting the claim that it performs no local file operations. Hidden local read/write behavior undermines user expectations and can bypass policy decisions that would have denied filesystem access if the true behavior were disclosed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A skill advertised as marketplace search/discovery should not perform installation of remotely sourced content. Installing a skill changes the local environment and may import untrusted code or scripts, so bundling this capability into a search-oriented skill creates an unnecessary privilege and trust boundary violation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Post-install auditing and content scanning are local security operations beyond the declared purpose of marketplace search. While intended as a safeguard, they still expand the skill's actual capability surface and can mislead operators about the permissions and local access the skill requires.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file header presents the script as a secure installer, directly contradicting the manifest statement that the skill only searches and does not install or touch local files. Such contradictory documentation is security-relevant because users, orchestrators, and policy engines may rely on the safer manifest and unknowingly permit more powerful behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script contradicts the skill's declared purpose by enumerating local skill directories, inspecting installed skills, and invoking another local audit script. This hidden expansion of scope is dangerous because users may grant trust based on the manifest's claim of being search-only, while the code actually performs local filesystem discovery and execution.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This script performs local security auditing of installed skills, including directory traversal and execution of a bundled dependency's audit script, which is outside the justified scope of a marketplace search/discovery skill. Scope mismatch increases risk because operators may not expect or review code paths that touch local state and execute additional scripts.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The inline documentation explicitly describes local security checking of installed skills, directly conflicting with the top-level metadata that says the skill only searches the marketplace and performs no local file operations. This discrepancy is a security concern because misleading metadata can bypass scrutiny and cause users to authorize a skill under false assumptions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script installs and copies a remote skill package into the local environment with `--copy` but does not explicitly warn the user that files will be written locally. This is risky because a user expecting a read-only search utility may unknowingly allow persistent filesystem changes and introduction of unreviewed third-party content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script constructs a remote URL and then uses `npx` to retrieve and install a package from that remote service without explicit disclosure that network access and remote package retrieval will occur. In a skill advertised as search-only, hidden network/package-fetch behavior is more dangerous because users and orchestration systems may not expect supply-chain exposure.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal