ClawHub

Django Vue Admin

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Django/Vue code generator, but its admin templates contain unsafe permission and password patterns while encouraging direct use of generated CRUD code.

Review this skill before installing or using its output. Treat it as scaffolding only: fix the object-permission return logic, remove the 0000 default password, audit RBAC maps, queryset scoping, serializers, and delete/update behavior, and run the generator only on a backed-up branch because it writes over common project files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
`RbacPermission.has_object_permission` calls `has_obj_perm(request.user, obj)` but ignores its boolean result and always returns `True`. This defeats documented object-level data access control, allowing authenticated users to access objects outside their authorized department or ownership scope wherever object permissions are relied upon.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly tells users they can directly copy generated CRUD code into their project, and the generated examples include write, update, and delete operations. Without a clear warning to review, test, and security-audit the generated code first, users may deploy unsafe authorization logic, destructive endpoints, or project-incompatible patterns that can cause data loss or privilege issues.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill states it will automatically read internal template documents to drive code generation, but does not disclose that referenced project or template content may influence outputs in ways the user does not fully see or validate. In a code-generation context, this can propagate insecure patterns, hidden assumptions, or context-derived logic into generated code without adequate transparency.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal