ClawHub

Allstar Link node control ASL3 (ASL3 Node Control)

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its radio-node control purpose, but an included shell helper can send API-key-authenticated commands to a hard-coded fallback IP if the user has not set their own node address.

Install only if you understand it can control live ASL node connections. Set ASL_PI_IP or ASL_API_BASE explicitly before use, review or remove the asl-api.sh fallback IP, protect ASL_API_KEY, and check any saved net sessions or cron entries because they can trigger later disconnect actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill exposes significant capabilities—network access, shell execution, environment-secret use, and local file read/write—without declaring permissions. This creates a transparency and governance gap: operators cannot accurately assess what the skill can do before enabling it, and the presence of API-key-backed control of radio infrastructure increases the risk of misuse or over-privileged deployment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill includes commands that can actively connect and disconnect radio nodes, but it does not prominently warn that these actions alter live operational state and may interrupt ongoing service or scheduled connections. In an agent setting, ambiguous natural-language dispatch could cause unintended transmission-path changes with real-world operational impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal