ClawHub

Github Experiment Accuracy

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for ML repository evaluation, but it tells agents to run an unsafe model-loading workflow that could execute code from an untrusted download.

Install only for use inside a disposable, isolated environment with no sensitive files, credentials, or network reachability you care about. Do not let it load untrusted .pt files with weights_only=false; prefer safetensors or a locally defined architecture with a verified state_dict, and review repository code and dependencies before running any evaluation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This workflow explicitly deserializes a PyTorch model object from an untrusted, freshly downloaded repository using `torch.load(..., weights_only=False)`. PyTorch pickle-based deserialization can execute attacker-controlled code during loading, so a malicious repository can achieve arbitrary code execution on the analyst's machine under the guise of model evaluation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill performs network retrieval of arbitrary GitHub content, copies a user-supplied local file into the downloaded project, and writes multiple outputs, yet it does not clearly warn the user about these side effects or require explicit confirmation. In this context, the combination is risky because the skill is designed to operate on untrusted repositories and local data, increasing the chance of unintended data exposure, overwrites, or processing of malicious content.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions tell the agent to load an untrusted model from the downloaded repository with `weights_only=False` and provide no warning that this is unsafe. That setting enables full object unpickling, which is a known arbitrary code execution vector when the model file comes from an untrusted source, making this especially dangerous in a skill centered on downloading third-party repositories.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The workflow explicitly instructs cloning or downloading arbitrary GitHub repositories and copying user-provided data into local project directories, but it provides no warning, consent step, sandboxing guidance, or restriction on what may run afterward. In the context of a skill designed to fetch and execute untrusted third-party ML projects, this omission is dangerous because it normalizes network access and local file modification that can lead to execution of malicious code, unsafe dependency installation, or unintended handling of sensitive local data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal