ClawHub

auto backup manager

Security checks across malware telemetry and agentic risk

Overview

This backup skill is not malware, but it is materially under-scoped and misleading for a tool that can read sensitive local and Docker data and persist backup credentials.

Review carefully before installing. Use only in a test environment unless you are comfortable with it creating a restic password file, running restic and docker commands, and backing up the hardcoded /opt/king/sae path plus king-qdrant and king-redis Docker volumes. Do not rely on the advertised enterprise, restore, scheduling, compliance, or multi-cloud features without independent validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises operationally powerful backup and restore capabilities and the analyzer detected shell, environment, and file-write behavior, yet no permissions are declared. That creates a transparency and consent failure: users may invoke a skill that can read environment secrets, modify files, and execute system commands without an explicit permission boundary, which is especially dangerous for a backup tool that may touch sensitive data and system state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior presents an enterprise-grade multi-cloud orchestrator, but the detected implementation reportedly performs local restic repository initialization, stores a password file locally, and backs up hardcoded paths and Docker volumes. This mismatch is dangerous because users may trust the skill with production systems under false assumptions about scope, storage targets, and security controls, increasing the chance of data exposure, incomplete backups, or unsafe recovery procedures.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Describing one-command full-system restore and disaster recovery without an explicit overwrite warning normalizes a destructive operation without communicating the risk of replacing live system files. In a backup skill, restore actions are contextually high risk because they may overwrite application data, configuration, credentials, and boot-critical files, leading to outage or irreversible data loss if run incorrectly.

Missing User Warnings

High
Confidence
99% confidence
Finding
The example command restores directly to the root filesystem ('--target /') with no safeguard or warning. This is extremely dangerous because a user may copy-paste the example and overwrite a live host, causing immediate system corruption, service outage, credential replacement, or destructive rollback of unrelated data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently writes the restic repository password to disk in a predictable location under the repository path. In a backup/orchestration context, this increases the chance that operators unknowingly store high-value secrets on shared or insufficiently protected storage, enabling repository compromise if the file is exposed.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The default backup mode reads a fixed filesystem path and specific Docker volumes without any runtime confirmation or user disclosure. In an agent skill, this can cause unintended collection of sensitive local data and container contents, especially when users may not realize what will be accessed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal