ClawHub

Casely

Security checks across malware telemetry and agentic risk

Overview

Casely is a coherent QA helper that processes local requirement documents and creates local test-case files and spreadsheets.

Install only if you are comfortable with the skill reading local QA documents, creating files under projects/, and possibly changing repository Python dependency files during uv setup. Specify the intended project path when more than one project exists, review dependency changes before accepting them, and inspect generated style guides and spreadsheets before importing them into a test-management system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly instructs creation of project directories, reading requirement/example files, writing generated outputs, and exporting XLSX files, but no permissions are declared. This creates a trust and containment problem: users and platforms are not warned that the skill can modify repository contents and process local files, increasing the risk of unintended file access or writes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /init workflow can create directories in the repository and run environment-changing dependency commands such as uv init, uv add, or uv sync, but the skill description does not prominently warn users before these side effects occur. In practice, this can alter the local development environment, modify project configuration files, and install packages without informed consent.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill states that all future test cases will be generated in the detected project language by default, but it does not mention any user confirmation or override. This can cause the agent to ignore explicit user preferences, reduce transparency, and create prompt-steering behavior where untrusted example content controls future outputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal