ClawHub

Python Use Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to run Python, but it gives users an unenforced sandbox signal while executing supplied code with local permissions.

Install only if you are comfortable with this skill running local Python code. Treat the sandbox and dangerous-function settings as unenforced, review any generated or supplied code before execution, avoid giving it secrets or sensitive files, and prefer using it in a disposable workspace or OS-level container.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill advertises direct Python execution but never executes the supplied code and always returns a success response. This is dangerous because callers may rely on a fake execution result for automation, validation, or security workflows, creating a silent integrity failure and potentially masking failed or skipped checks.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The task-execution path claims it will generate and run Python for a user task, but it only returns a canned success result. In an agent setting this can mislead downstream systems into believing actions were completed, which can corrupt workflows, hide failures, and undermine security assumptions about what was actually performed.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The review feature claims to assess security, performance, and style, yet it always returns empty findings and success. This creates a false sense of safety: dangerous code could be treated as reviewed and approved when no analysis occurred.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The public API documents a sandbox option and defaults it to true, but the execution path in executePython ignores that flag and runs arbitrary Python directly via a subprocess on the host. This creates a dangerous false sense of isolation: callers may supply untrusted code believing it is sandboxed when it is not, leading to full local code execution with the agent's privileges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes a flow where AI automatically generates and executes Python code, then returns results or auto-fixes issues, but it provides no warning about risks such as arbitrary command execution, file modification, network access, or exposure of sensitive data. In a code-execution skill, omitting these safety boundaries can mislead users into treating execution as harmless and can increase the chance of unsafe or over-privileged use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill takes supplied Python code, writes it to disk, and executes it as a subprocess with no meaningful safety controls, confirmation, or restriction. In a skill context, this is effectively arbitrary code execution on the host environment, which can read files, exfiltrate secrets, modify data, or launch further commands depending on process privileges.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal