ClawHub

Huo15 Plan Mode

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it promises a dangerous-command confirmation safety layer that the artifacts do not actually enforce.

Install only if you treat this as an advisory helper, not a complete safety boundary. Do not rely on it as the sole protection against destructive commands until confirmation storage, reply handling, and gated execution are implemented and tested. Review the HEARTBEAT.md changes and the eval-based integration wrapper before enabling it in a real workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents shell-capable scripts and executable workflow steps, but the metadata declares no permissions or capability boundaries. In an agent ecosystem, this can cause the skill to be installed or trusted without users understanding it can invoke shell actions, including destructive commands after confirmation. The risk is increased because the skill explicitly brokers dangerous operations such as deletion, force-push, and process termination.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script advertises a safety control for dangerous operations, but the main dispatcher only classifies commands and prints confirmation text; it never blocks or mediates actual command execution. In an agent setting, this can create a false sense of protection, leading integrators or users to rely on it as an enforcement mechanism when dangerous commands may still run elsewhere without verified approval.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation claims the script can execute or cancel operations and shows an `execute` mode, but no such action exists in the code. This mismatch is dangerous because downstream agents may assume the script provides an enforcement layer that it does not actually implement, undermining safety guarantees around destructive commands.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The confirmation flow requires replies of '是' or '否' without offering language flexibility or equivalent accepted responses. In safety-critical confirmation logic, restricting confirmation to one language can lead to misunderstandings, failed cancellations, or accidental execution if users respond naturally in another language and the parser misinterprets or retries unsafely.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| 配置 | 说明 |
|------|------|
| `mode` | strict=严格, normal=普通 |
| `autoConfirmLowRisk` | 低危操作自动执行 |
| `notifyOnCancel` | 取消时通知用户 |

---
Confidence
89% confidence
Finding
autoConfirm

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal