ClawHub

Claw Security Suite

Security checks across malware telemetry and agentic risk

Overview

This looks like a security scanner, not malware, but it overstates its protections and can make cloud reputation calls in ways users should review first.

Install only if you treat this as a heuristic helper, not a guaranteed security control. Do not let its policy file override platform, admin, or user rules. For private skills or privacy-sensitive environments, avoid passing skill_name/source or disable the cloud endpoint, and review who can read the local baseline and report files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The changelog documents contradictory security-relevant behavior: one version states that no external services are called by default, while a later entry says cloud reputation checks are actually enabled with a built-in Tencent Cloud endpoint. This can mislead users and reviewers about data egress and trust boundaries, causing deployment in environments where unexpected outbound requests are a policy or privacy violation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module advertises logic security auditing for over-privilege and least-privilege analysis, and even accepts a declared_permissions parameter, but never uses that parameter in any decision. This creates a misleading security control: callers may believe permission declarations are being validated when they are silently ignored, allowing overprivileged or policy-violating skills to be marked safe if no regex hits are found.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module docstring claims the component detects and blocks attacks and automatically sanitizes input, but the implementation mainly performs regex-based detection and reporting. This mismatch is dangerous because downstream developers may rely on it as an active security control and fail to add real enforcement, allowing malicious input to pass through unblocked in integrated systems.

Intent-Code Divergence

Low
Confidence
94% confidence
Finding
The check() function returns clean_input unchanged even when content is flagged as malicious, despite the surrounding runtime-protection framing. If integrators trust clean_input as safe for further processing, malicious payloads can continue into later components, undermining the intended defense boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The scanner sends `skill_name` and `source` to a remote cloud intelligence endpoint before or alongside local scanning, and this file shows no user notice, consent flow, or data-minimization controls. Even if the payload is small, it still discloses metadata about locally scanned skills to a third party, which can leak private project names or usage patterns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal