ClawHub

CTO×CISO Training

Security checks across malware telemetry and agentic risk

Overview

This skill is local and not malware-like, but it can create official-looking training scores, certificates, and personnel reports without enough trust, privacy, or approval safeguards.

Install only in a controlled internal workspace, and do not treat its certificates, signatures, pass/fail results, or escalation reports as authoritative without separate human approval and real cryptographic signing. Avoid granting wallet or other sensitive capabilities unless the publisher explains why they are needed, and restrict access to generated training records because they contain sensitive personnel and compliance data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly states that certificate issuance '需调用 exec 执行数字签名命令', introducing arbitrary command execution into a workflow that only needs cryptographic signing. If any certificate fields, file paths, or signer parameters are attacker-controlled, this can become command injection and lead to host compromise, data theft, or tampering with training and certificate records.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module claims practical scoring is sandboxed and rubric-driven, but `grade_practical()` directly accepts externally supplied `grade` values from `scenario_answers` and only clamps them to a range. This lets a caller self-assign or manipulate practical scores, undermining the integrity of pass/fail decisions and any downstream workflow that trusts these results.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The script claims writes are confined to a sandbox workspace, but `WORKSPACE_BASE` is fully controllable through the `TRAINING_WORKSPACE` environment variable. If an attacker can influence the runtime environment, they can redirect all generated files—including answer keys and metadata—to arbitrary filesystem locations, undermining the sandboxing guarantee and potentially causing unauthorized file creation or data exposure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code labels the signature as HMAC-SHA256 but actually computes a plain SHA-256 digest over attacker-controlled content plus a hardcoded signer string, with no secret key and no asymmetric keypair. This means anyone who can generate or modify certificate data can forge both 'CTO' and 'CISO' signatures, so the double-signature control provides no authenticity or non-repudiation.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The security claims overstate tamper protection: the audit hash is only a checksum of the JSON body excluding the audit_hash field, and the program never verifies that stored signatures are cryptographically valid. An attacker who can edit certificate files can recompute the hash and regenerate the faux signatures, making tampering undetectable despite the stated guarantees.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The exam workflow writes persistent score files and metadata containing identifiable candidate information, assessment results, and weak areas, but the skill provides no privacy notice, retention rules, or access-control guidance. In a training/HR context this data is sensitive personnel information, so unnecessary exposure or broad downstream access can create confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The certificate issuance flow stores named holder records, scores, validity dates, signatures, and audit-chain data intended for persistent integrity-sensitive use, yet the skill omits safeguards around privacy, retention, disclosure, and tamper-resistant storage practices. Because certificates may be used for compliance and employment decisions, unauthorized modification or exposure would have meaningful operational and privacy impact.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The progress-reporting interface generates detailed compliance and performance reports about named individuals, including failure status, escalation recommendations, and expiry tracking, without any warning about privacy impact or downstream misuse. In an HR/compliance setting, these reports can enable overexposure of employee performance and disciplinary information if shared too broadly.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal