ClawHub

Performance Testing Toolkit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate performance-testing skill, but it needs review because it encourages high-volume traffic to arbitrary URLs without clear authorization or safety guardrails.

Install only if you understand this is a traffic-generating testing tool. Use it only on systems you own or are explicitly authorized to test, start with low concurrency, avoid production credentials, and treat the reported stress-test results cautiously until the inconsistent CLI/docs and simulated stress-test path are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation clearly describes capabilities that require network access and likely file write access for report generation, yet no permissions are declared. This creates a transparency and governance gap: users or platforms may authorize or run a skill without understanding that it can send high-volume traffic to external systems and write output artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README provides concrete load and stress testing commands that can generate substantial traffic against a target system, including a stress test up to 1000 concurrent users, without any warning about authorization, rate limits, production safety, or availability impact. In a performance-testing toolkit, this omission materially increases the chance that users will aim these commands at third-party or production systems and unintentionally cause service degradation or denial of service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill teaches load and stress testing of target URLs without any safety guidance, authorization requirement, or warning about service disruption. Because this tool's intended function is to generate significant traffic, missing guardrails materially increases the risk of accidental denial-of-service against production or third-party systems.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
asyncio
dataclasses
Confidence
92% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
aiohttp>=3.9.0
asyncio
dataclasses
pyyaml>=6.0.1
Confidence
92% confidence
Finding
aiohttp>=3.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
aiohttp>=3.9.0
asyncio
dataclasses
pyyaml>=6.0.1
jinja2>=3.1.2
psutil>=5.9.6
pytest>=7.4.0
Confidence
95% confidence
Finding
pyyaml>=6.0.1

Unpinned Dependencies

Low
Category
Supply Chain
Content
asyncio
dataclasses
pyyaml>=6.0.1
jinja2>=3.1.2
psutil>=5.9.6
pytest>=7.4.0
pytest-asyncio>=0.21.0
Confidence
90% confidence
Finding
jinja2>=3.1.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
pyyaml>=6.0.1
jinja2>=3.1.2
psutil>=5.9.6
pytest>=7.4.0
pytest-asyncio>=0.21.0
statistics
Confidence
88% confidence
Finding
psutil>=5.9.6

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytest>=7.4.0
pytest-asyncio>=0.21.0
statistics
matplotlib>=3.8.0
numpy>=1.24.0
Confidence
86% confidence
Finding
matplotlib>=3.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytest-asyncio>=0.21.0
statistics
matplotlib>=3.8.0
numpy>=1.24.0
Confidence
90% confidence
Finding
numpy>=1.24.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal