ClawHub

axiom-luhn-check

Security checks across malware telemetry and agentic risk

Overview

This is a small local checksum utility with no network, credential, persistence, or hidden behavior, but its ISBN validation claims are inaccurate and should not be trusted for authoritative identifier checks.

Install only if you need a simple local Luhn checksum helper. Do not use it as authoritative ISBN validation, full payment-card validation, issuer validation, or business-identifier compliance logic without fixing and testing the per-identifier algorithms first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill metadata and documentation overstate or misstate what is being validated, most notably by implying ISBN-10 is covered by a Luhn-based validator even though ISBN-10 uses a different checksum scheme. This can cause downstream systems or users to trust invalid validation results, leading to acceptance of malformed identifiers or incorrect business logic decisions; the mismatch around card-brand/type detection and undocumented behaviors further increases the risk of misuse.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises ISBN-10/13 validation, but the implementation only performs a Luhn check after stripping non-digits. ISBN-10 uses a different checksum scheme and may end with 'X', so consumers relying on this tool could incorrectly accept or reject identifiers, causing validation bypasses in downstream workflows.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code claims support for SIRET/SIREN but determines validity using Luhn plus type detection, while SIREN handling is inconsistent with the stated purpose and can mislead callers about what is truly being verified. This creates integrity risk where business identifiers may be trusted based on incorrect validation semantics.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The inline documentation states ISBN-10 may end with 'X', but the implementation strips all non-digits before validation, making such values impossible to validate correctly. This discrepancy can cause false negatives or unsafe assumptions by systems that depend on accurate ISBN verification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal