ClawHub

Smalltalk

Security checks across malware telemetry and agentic risk

Overview

This is a real Smalltalk development skill, but it needs review because it can persistently modify live images, auto-patch old images, and send source code to external LLM APIs.

Install only if you want an agent to run and modify code inside a live Smalltalk image. Prefer playground mode for experiments, back up dev images before use, stop the daemon when finished, and use the LLM explain/audit/generate commands only with code you are allowed to share with the configured provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tainted flow: 'PID_FILE' from os.environ.get (line 40, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
self.socket.settimeout(1.0)  # Allow periodic checks

        # Write PID file
        with open(PID_FILE, "w") as f:
            f.write(str(os.getpid()))

        print(f"🎧 Listening on {SOCKET_PATH}")
Confidence
84% confidence
Finding
with open(PID_FILE, "w") as f:

Tainted flow: 'req' from os.environ.get (line 649, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            data = json.loads(resp.read())
            return data["content"][0]["text"]
    except urllib.error.HTTPError as e:
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 649, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
)

    try:
        with urllib.request.urlopen(req, timeout=30) as resp:
            data = json.loads(resp.read())
            return data["choices"][0]["message"]["content"]
    except urllib.error.HTTPError as e:
Confidence
98% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes substantial capabilities including shell execution, filesystem access, environment-variable access, MCP interaction, and network use, yet it declares no permissions or trust boundaries. That mismatch increases the chance that hosts or users will invoke it without understanding that it can read secrets, modify local state, start background processes, and send data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared description frames the skill as an image interaction and browsing tool, but the documented behavior also includes external LLM calls, daemon lifecycle management, destructive mutation, and persistent project management. This under-describes data egress, persistence, and destructive behavior, which can mislead operators into granting broader trust than intended.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The daemon trusts a PID read from a predictable file in /tmp and then sends SIGTERM/SIGKILL to that PID without verifying that the process actually belongs to this daemon or to the same executable. An attacker who can create or modify the pid file, or exploit PID reuse, could cause termination of unrelated local processes, resulting in denial of service and potentially disrupting security-sensitive services.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest/description presents the skill as a Smalltalk image interaction tool but omits that it can send code and method source to third-party LLM APIs. That omission undermines informed consent and can cause users to expose proprietary source code while believing they are using only a local interpreter/browser.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Debug mode captures a screenshot of the X display, collects stack traces, and writes an HTML report in /tmp. Those artifacts can contain sensitive application state, code, credentials, or user data, and this behavior exceeds the stated Smalltalk interaction purpose without prominent warning or minimization.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill includes built-in outbound LLM API access using environment credentials, which is materially different from its declared role of interacting with a local Smalltalk image. This mismatch makes the network transmission of code and method source more dangerous because users are less likely to anticipate or consent to external sharing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive operations such as deleting methods and classes without clearly warning about irreversible impact, especially in dev mode where changes persist. In a live programming environment, accidental or induced deletion can corrupt a project or destroy user work.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The LLM-powered commands mention API keys and providers but do not clearly state that code, method source, comments, or class contents may be transmitted to Anthropic or OpenAI. This creates a material data-exfiltration and confidentiality risk, particularly for proprietary or sensitive source code loaded from the user's Smalltalk image.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The debug workflow silently captures screenshots and stack traces and writes them to disk without an explicit warning at the call site about possible sensitive data exposure. In a live development image, these captures can include source, workspace contents, filenames, and UI state that users may not intend to persist or share.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
LLM-powered commands send provided code and fetched method source to external services, but the call paths do not present an explicit disclosure or confirmation when data is about to leave the local environment. This increases the chance of accidental disclosure of proprietary or sensitive source code.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal