ClawHub

btw command

Security checks across malware telemetry and agentic risk

Overview

This local question helper is not malware, but it can let timeout defaults stand in for human approval in sensitive workflows and exposes supplied context in logs.

Install only if you treat it as a local console/log prompt helper, not a reliable approval gate. Use explicit fail-closed defaults such as 'no', 'skip', or 'staging', avoid timeout defaults for production, deletion, account, credential, or security actions, and do not put secrets or sensitive customer/incident data in the question or context fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill claims to support non-blocking clarifying questions, but `run()` waits synchronously on `waitForAnswer()` until an answer or timeout occurs. In an agent workflow, this can stall execution for up to an hour, creating an easy denial-of-service condition and breaking expected control-flow guarantees for a supposedly asynchronous skill.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Although the header comments say the implementation is local and makes no external API calls, the code deliberately writes question text, options, defaults, and potentially arbitrary context to console logs. In many deployments, logs are centrally collected or visible to operators and third-party systems, so this can expose sensitive workflow data outside the intended local execution boundary.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation guidance is broad enough to trigger in many normal agent workflows, including deployment, code review, data handling, and security checks. That increases the chance an agent invokes this skill in contexts where a non-blocking question with fallback behavior is inappropriate, causing silent or weakly supervised decision-making around sensitive actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly promotes automatic default answers for consequential decisions such as deployment and security-related actions, without requiring an explicit acknowledgment that the agent may proceed without real user input. In this context, timeout defaults can become implicit authorization, enabling production changes or security decisions to occur based on stale or unsafe defaults.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The implementation logs `context` verbatim without redaction or user warning. Because `context` is an untyped object likely to carry deployment decisions, code review details, data validation inputs, or security-check data, this creates a direct confidentiality risk through log leakage.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal