ClawHub

Boil

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real remote-workflow integration, but it asks agents to upload project archives and send prompts/metadata to Boil with API credentials while leaving important scope and endpoint details ambiguous.

Install only if you intentionally want an agent to hand work off to Boil and are comfortable reviewing what leaves your machine. Before use, confirm the correct API host, keep the API key in a secure environment variable, inspect checkpoint archives before upload, and avoid using it in repositories containing secrets or confidential code unless Boil is approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The guide explicitly instructs agents to make bearer-authenticated API calls to complete workflow steps, including submitting metadata and prompt contents to a remote service. Even if operationally intended, this expands the skill from local text editing into authenticated network actions and can cause unintended data disclosure or misuse of credentials if followed automatically.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document claims all work is text-only and warns never to execute shell commands, but then repeatedly instructs the agent to run shell commands such as curl, tar, ls, cat, and rm. This contradiction can defeat safety expectations and normalize command execution against untrusted archives and paths, increasing risk of command misuse or unsafe handling of malicious content.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill repeatedly instructs the agent to send a bearer API key in curl commands without any guidance on secure storage, redaction, shell history exposure, or avoiding accidental disclosure in logs and transcripts. In an agent setting, this is risky because the model may echo the key, persist it in notes, or expose it through command history or debugging output while interacting with external services.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description and surrounding metadata are broad enough that an orchestrator could invoke this skill for a wide range of coding, collaboration, or bounty-related tasks without clear boundaries. In an agent ecosystem, overbroad invocation criteria can route sensitive work, credentials, or autonomous actions to an external service unnecessarily, increasing the chance of unintended data exposure or unsafe delegation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to upload a full checkpoint archive to a presigned URL without clearly warning that the archive may contain sensitive source code, secrets, personal data, or third-party material. That omission increases the risk of unreviewed exfiltration of project contents to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The punch-out flow sends commentary, file lists, and the evolved prompt content to a remote API without an explicit notice that these fields may contain sensitive project information. Because the prompt is cumulative and rich in context, transmitting it wholesale may leak internal architecture notes, code-derived details, or other confidential content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal