ClawHub

aipexbase

Security checks across malware telemetry and agentic risk

Overview

This app-building skill is not clearly malicious, but it needs review because it can automatically change BaaS resources and stores powerful credentials in project files.

Install only if you are comfortable giving the skill BaaS administrative authority and allowing it to create or modify apps, tables, data, and frontend files. Use a least-privilege token if possible, avoid storing admin tokens in project files, exclude baas-config.json from deployment packages, review generated HTML for unsafe innerHTML usage, and approve host-level install commands before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to execute privileged and system-wide installation commands, including piping a remote script directly to bash, modifying shell startup state, globally installing packages, and running sudo apt-get. In a skill that is supposed to perform application development, these actions expand trust boundaries significantly and can lead to arbitrary code execution, host modification, and supply-chain compromise if the fetched script or packages are malicious or tampered with.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The skill directs the agent to fetch content from external public image sources during data insertion, creating outbound network access beyond the declared local development scope. While lower impact than shell execution, it can leak contextual information, introduce unreviewed third-party content into projects, and violate sandboxing or data-handling expectations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The Toast example builds markup with `innerHTML` and interpolates `message` directly into the HTML string. If callers pass untrusted content, this creates a straightforward DOM XSS sink, and it is especially concerning because the same document later claims to enforce DOM rendering safety rules.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly authorizes automatic creation of applications, database tables, and front-end code changes without user confirmation, which enables silent local file modification and remote state changes. Because the skill also has Write/Edit/Bash capabilities and remote-management semantics, unintended or malicious prompt injection into requirements could cause destructive or costly actions before the user can intervene.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to obtain, read, store, and use an administrator manageToken but does not define safe handling controls such as non-persistence, redaction, scope minimization, or prohibitions on echoing/logging the secret. In combination with automated remote actions, this elevates the risk of credential exposure and full administrative abuse of the BaaS environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal