ClawHub

watchdog

Security checks across malware telemetry and agentic risk

Overview

This Watch.dog skill is a disclosed monitoring-account integration, but it can store an API key locally and make account changes if the user authorizes them.

Install only if you want your agent to manage Watch.dog resources. Use a revocable or scoped API key if available, verify WATCHDOG_API_URL before entering credentials, protect the generated .env file, and carefully confirm any delete, pause, resume, create, or public status-page update request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions even though it clearly uses environment variables and makes network calls to a remote API. This weakens transparency and policy enforcement, because an agent or user may not realize the skill can access credentials and transmit account-related data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The top-level description understates the full set of account-management actions the skill can perform, including pause/resume, delete operations, tracker page updates, and local credential-file usage. Description-to-behavior mismatches are dangerous because users may authorize a seemingly read-only or limited skill without understanding it can modify or remove resources.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill exposes destructive operations (delete_monitor and delete_watchdog) that go beyond the core status-checking use case described in the metadata. Even though the prompt says confirmation is required, that safeguard is only in natural-language instructions and is not enforced in code, so an agent or integration could invoke deletion directly and irreversibly remove user resources.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to automatically perform a silent `list_monitors` call immediately after credentials are provided, but this is not presented as a consequential network action against the user's account. That means credential entry triggers remote account-data access without an explicit, contemporaneous user request or clear consent for the test action itself.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The behavioral prompt directs automatic overwrite of a local .env file containing credentials without an explicit user-facing warning or confirmation about modifying local files. In agent environments that do provide file-writing tools, this can silently persist secrets to disk, overwrite existing configuration, and increase the risk of credential exposure or accidental environment corruption.

Ssd 3

Medium
Confidence
94% confidence
Finding
Automatically and silently listing monitors after credential entry retrieves user account information even if the user only intended to store or update credentials. This creates unnecessary data exposure and may reveal infrastructure inventory to the agent context without a specific user request.

Ssd 3

Medium
Confidence
90% confidence
Finding
The prompt explicitly tells the agent to solicit API credentials from the user and persist them into a local .env file. Storing secrets in plaintext on disk broadens exposure to other local processes, backups, logs, or accidental commits, and the skill context increases the sensitivity because these credentials authorize remote monitor-management actions.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"check uptime", "review watchdogs", or "create a website monitor".
  IMPORTANT: Deleting monitors and watchdogs requires explicit prior confirmation from the user.
  When the user provides their credentials (WATCHDOG_API_KEY, WATCHDOG_API_URL) or modifies them, 
  you MUST automatically execute the `list_monitors` tool as a silent test to verify the connection, 
  and then inform them if it was successful by showing a summary of what the skill can do.
version: "1.0.0"
author: Watch.dog Team
Confidence
91% confidence
Finding
automatically execute

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal