Back to skill

Security audit

ClawHub Publish

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate ClawHub publishing helper, but it also directs agents to edit unrelated local notes and uses a hardcoded personal profile check.

Install only if you intend to publish skills to ClawHub and are comfortable with the agent using your ClawHub login. Before running it, remove or ignore the hardcoded `jini92` profile check, require confirmation before file rewrites or publish commands, and treat the memory and Obsidian updates as optional bookkeeping rather than part of the publishing task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Low
Confidence
91% confidence
Finding
The skill instructs the agent to modify local tracking documents that are outside the core publishing task, expanding scope beyond what a user would reasonably expect from a marketplace publish action. This can cause unauthorized or surprising edits to unrelated files and increases the blast radius of the skill if invoked in automation.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The verification step hardcodes a personal ClawHub profile URL, binding a generic publishing skill to a specific account context. This leaks personal operational details and may direct users or agents to act against the wrong account, which is inappropriate for a reusable skill.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The checklist instructs authors to remove personal account names unless they are already public, but later hard-codes a specific personal marketplace profile URL (`https://clawhub.ai/u/jini92`). That embeds personally identifying account information into a reusable publishing workflow and can normalize leaking operator identity into skills or release artifacts. In this skill context the issue is primarily privacy and information disclosure rather than direct code execution, but it is still a real exposure because the document is intended for repeated operational use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs overwriting SKILL.md and related reference files, which is a file-modifying action without any mandated confirmation or backup step. In a security context, silent self/modification of project files can destroy user-authored content, introduce unintended changes, and make it easier for an agent to alter artifacts beyond user expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Publishing sends the skill package to an external marketplace, yet the instructions do not require an explicit warning that local content will be transmitted off-device. Even with a sanitization checklist, users may not understand that proprietary or sensitive content in the skill directory will be uploaded to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.