ClawHub

Publish-To-Public

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a local rebranding utility, but it needs Review because optional validation can execute local Python code and the actual file-processing scope is broader than the docs describe.

Install only if you are comfortable with a local tool that reads and rewrites a whole source tree into a destination. Use it first with --dry-run and a clean destination directory. Do not pass --validator, and do not run validation/tests, on untrusted projects unless you isolate the run in a container or VM.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def validate(dst_dir: Path, validator: Path) -> bool:
    """Run a custom validator on dst_dir. Returns True if it passes."""
    try:
        result = subprocess.run(
            [sys.executable, str(validator), str(dst_dir)],
            capture_output=True, text=True, timeout=30
        )
Confidence
96% confidence
Finding
result = subprocess.run( [sys.executable, str(validator), str(dst_dir)], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_tests(dst_dir: Path) -> bool:
    """Run all test_*.py in dst_dir. Returns True if all OK."""
    try:
        result = subprocess.run(
            [sys.executable, "-m", "unittest", "discover", "-s", str(dst_dir), "-p", "test_*.py"],
            capture_output=True, text=True, timeout=60
        )
Confidence
97% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "unittest", "discover", "-s", str(dst_dir), "-p", "test_*.py"], capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises filesystem and shell-capable behavior but does not declare permissions, which weakens review and containment controls. In a rebrand pipeline that reads, rewrites, regenerates, and validates project content, hidden file and shell capabilities can expose users to unexpected command execution or broad repository modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared description frames the skill as a deterministic rebrand tool, but the detected behavior includes executing validator scripts by path and running discovered unit tests via subprocess. That expands the trust boundary from text transformation into arbitrary code execution against user-supplied or repository-resident code, creating a significant risk of malicious test or validator payloads executing during an otherwise routine publishing workflow.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation says the pipeline copies only selected file types, but the implementation walks all files under the source tree and rewrites them unless excluded by name. This can unintentionally process secrets, binaries, templates, or executable files outside the advertised scope, increasing the chance of data leakage or corruption during publication preparation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill is presented as a deterministic local rebrand pipeline, but it also executes both destination tests and a user-provided validator script. That scope expansion is dangerous because operators may trust it as a pure transformation step, while it can actually run arbitrary Python code from the project or validator input.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The module is presented as a deterministic local rebrand pipeline, but its documented workflow includes executing a custom validator and test files from the processed project. Running project-supplied code during a transformation step can lead to arbitrary code execution, breaks determinism claims, and is especially dangerous when handling untrusted or newly prepared code for publication.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Subprocess-based execution in a generic rebrand skill is a genuine security concern because it can invoke destination-project code or attacker-controlled commands as part of normal processing. In the context of rebranding internal code for release, users may reasonably expect file transformation only, not code execution, which increases the chance of unsafe use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises optional validator and test execution post-rebrand without warning that these steps may execute project-provided tests, scripts, or arbitrary commands. If a user runs the tool on untrusted code, this can lead to arbitrary code execution in the user's environment under the guise of validation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The validator feature runs code from an arbitrary provided path without a strong user-facing warning that this is equivalent to executing untrusted Python. In security-sensitive publishing workflows, hidden execution surfaces are especially risky because they can be triggered during routine processing of third-party or semi-trusted content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic unittest discovery executes code from test_*.py files in the destination directory without prominently warning the user. Because the destination content is derived from source material being prepared for release, malicious or unexpected test code can run during what appears to be a simple rewrite operation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation describes validator and test execution without warning that the tool may execute code from the destination project. This omission materially increases risk because operators of a 'rebrand' pipeline may run it on code they do not fully trust, unintentionally triggering arbitrary code execution under their account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal