ClawHub

Access Inventory

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it tells agents to persistently find and use local credentials before asking the user.

Install only after rewriting it to require explicit approval before reading credential files, scanning environment variables, using authenticated services, or verifying credentials. Keep any inventory to non-secret service names, scopes, and expiry/status notes; do not store tokens, session details, or broad credential locations in persistent agent instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill goes beyond maintaining an access inventory and instructs broad discovery of credentials, installed tools, and access paths before asking the user. In an agent context, this can drive unnecessary enumeration of sensitive local state and normalize searching for secrets that may not be needed for the current task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The maintenance section explicitly promotes repeated scanning for API keys, tokens, and secrets across the system. That creates an ongoing secret-discovery workflow unrelated to many ordinary tasks and increases the chance that an agent will access, expose, or misuse credentials.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The description presents the skill as a simple anti-hedging rule and inventory table, but the body also directs active credential verification, file inspection, and system scanning. This mismatch can cause users and downstream reviewers to underestimate the operational risk and grant the skill more trust than its actual behavior warrants.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs scanning for keys, tokens, secrets, and authenticated services without warning about privacy, credential sensitivity, or the risk of exposing secret material to logs, model context, or third parties. In practice, this encourages unsafe handling of highly sensitive data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The override rule tells the agent to read key files and hit APIs automatically, but provides no warning about sensitive credential access, external side effects, billing, rate limits, or unauthorized use of accounts. This can lead to both local secret exposure and unintended outbound actions under stored credentials.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill uses absolute language forbidding the agent from saying it lacks access or cannot act. That suppresses truthful uncertainty communication and can pressure the agent into fabricating capability, overreaching permissions, or taking risky verification steps instead of asking for clarification.

Ssd 1

High
Confidence
98% confidence
Finding
The override rule semantically suppresses normal refusal and uncertainty behavior, pushing the agent to act as though permissions exist and to test them by reading keys or making calls. In security-sensitive environments, this is dangerous because it turns lack of certainty into a trigger for credential access and external action rather than a reason to pause.

Ssd 4

High
Confidence
95% confidence
Finding
The workflow explicitly escalates through environment inspection, config directory inspection, binary discovery, and package listing before consulting the user. This normalizes exploratory access discovery and delays consent until after potentially sensitive local inspection has already occurred.

Ssd 3

High
Confidence
98% confidence
Finding
The skill tells the agent where keys are stored and directs it to locate and use sensitive credentials from local files and environment data. In context, this is especially dangerous because the skill’s purpose is to remove hesitation, making it more likely an agent will access secrets proactively rather than only when necessary and authorized.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal