ClawHub
Back to skill

Security audit

Ipv6 P2p

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support P2P networking, but it under-discloses automatic peer announcements that can expose a reachable network identity.

Review this skill carefully before installing in a private, corporate, or monitored environment. Use it only if you intentionally want active P2P discovery, understand which bootstrap nodes and peers will see your agent, and have controls to disable discovery or restrict listeners when not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents that `p2p_discover()` 'announces to all bootstrap nodes and fans out to newly-discovered peers' but does not warn the operator that invoking it causes outbound network traffic and peer disclosure. In an agent setting, silent discovery can reveal the user's presence, network participation, or node metadata to external systems without informed consent, which is a real privacy and operational security risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents automatic outbound HTTP-based peer discovery and announcement to remote bootstrap nodes and newly discovered peers without any mention of user notice, consent, or deployment warning. This is security-relevant because using the skill causes unsolicited external network communication, reveals the agent's presence and network identity to third parties, and may violate operator expectations in restricted or privacy-sensitive environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The flow encourages sharing the agent's globally routable P2P address without warning that it exposes a stable network-reachable endpoint to others. While sharing an address is functionally necessary for P2P, omitting any privacy or trust guidance can lead users to disclose it broadly, increasing unwanted contact, probing, or targeting by untrusted peers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal