ClawHub

Business Blueprint Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local business-blueprint generator/exporter, with no evidence of hidden network access, credential use, destructive behavior, or exfiltration.

Install only if you are comfortable with the skill reading the business materials you provide and storing derived blueprint files, diagrams, patch logs, and audit metadata locally. Do not pass tokens, passwords, customer secrets, or sensitive source text as command-line arguments, because export audit files retain the CLI arguments. Review generated HTML/SVG/JSON before sharing them outside your workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read repository files, write generated artifacts into the workspace, and execute Python scripts via subprocess/CLI, which are code-execution and filesystem capabilities. Because these capabilities are not explicitly declared or constrained, the agent may operate with broader authority than a reviewer expects, increasing the chance of unintended file access, shell execution, or network use through the underlying Python toolchain.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The validation report indicates the packaged skill includes subprocess-driven CLI and test execution paths, which expand capability beyond the declared blueprint authoring/export scope. In an agent skill context, unnecessary process-spawning increases attack surface and can enable command execution, environment interaction, or abuse if those code paths are reachable or later repurposed.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
A business-blueprint generation/export skill does not inherently need subprocess execution, so its presence is a strong sign of over-privileged or out-of-scope functionality. If exposed to user-controlled data or agent orchestration, subprocess capability can be leveraged for arbitrary command execution, data exfiltration, lateral movement, or persistence depending on runtime permissions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The exporter mutates the caller-supplied blueprint in place by writing inferred `layer` values into `blueprint['library']['systems']`. In an agent skill, shared objects may be reused across later steps, so this can create hidden state changes, inconsistent downstream behavior, and route/output decisions that depend on prior exports rather than original input.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This script presents itself as an A/B experiment with quantified improvement targets and statistical significance, but later relies on estimated and hardcoded values rather than a real experimental design. That can mislead users, reviewers, or decision-makers into trusting unsupported performance claims, which is a security-relevant integrity issue when reports may drive deployment or governance decisions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code labels new-system layer accuracy as a measured result but assigns a constant value of 1.0 instead of deriving it from test outcomes. This creates a false assurance narrative and can inflate perceived model quality in a way that undermines the integrity of testing and downstream approval processes.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script claims statistical significance but fabricates the p-value from whether uplift crosses a threshold, which is not a valid statistical test. Falsified significance can materially mislead stakeholders into believing a change is scientifically validated, increasing the chance of unsafe or unvetted adoption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code persists `sys.argv.copy()` into a timestamped markdown file in the export directory, which can capture secrets passed via command-line flags or positional arguments such as tokens, passwords, internal URLs, or customer data. Because this file is intentionally retained as audit history, the exposure can persist long-term and may be unintentionally shared alongside exported artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal