ClawHub

lex

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Warden/LangGraph agent-building helper, with expected scaffolding, testing, deployment, and API-key setup guidance but some documentation hygiene issues.

Install this only if you are building or deploying Warden/LangGraph agents. Review generated dependencies before installing them, run the initializer only in a chosen workspace, keep .env files and real API keys out of source control, use deployment secret stores where possible, and avoid testing real credentials against untrusted endpoints or logging raw prompts in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill clearly encourages actions requiring sensitive capabilities such as shell execution, network access, environment-variable handling, and file creation, but it does not declare permissions or boundaries for those operations. This weakens least-privilege controls and makes it harder for a host platform or reviewer to understand what the skill may do, increasing the chance of overbroad execution or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is Warden-specific agent building and publishing preparation, but the described behavior includes testing arbitrary external endpoints and generating generic LangGraph scaffolding that does not actually implement the claimed deployment and integration features. This mismatch can mislead users and operators into granting trust or credentials under false assumptions, creating opportunities for unintended data transmission or unsafe use.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "LangGraph agent" is overly generic for a skill selector and can cause the skill to activate on many unrelated agent-building requests that are not specific to Warden. In an agentic system, broad activation increases the chance of inappropriate context injection, misrouting, or the model following domain-specific instructions in the wrong conversation.

Vague Triggers

High
Confidence
96% confidence
Finding
Saying the skill triggers when users mention "Warden or LangGraph agents" defines an activation boundary that is far too broad, especially because "LangGraph agents" is a large general category unrelated to this skill's intended scope. This can systematically misapply the skill to unrelated requests, leading to instruction contamination, incorrect tool/script suggestions, and increased exposure to adversarial prompt routing within a broader agent platform.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells users to place API keys in a .env file but does not instruct them to keep that file out of version control or otherwise protect it. In a code-generation and deployment workflow, this omission materially increases the risk of accidental secret leakage through Git commits, shared repos, build artifacts, or logs.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The environment variable template enumerates multiple sensitive secrets such as API keys, database URLs, and monitoring credentials, but it does not warn users to keep the file out of version control or use secret management. In a builder skill aimed at helping users scaffold deployable agents, this omission can normalize unsafe handling of secrets and increase the chance that real credentials are committed or shared.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The logging examples include raw request input (`logger.debug('Processing request', { input });`) without any redaction guidance. In an agent deployment guide, user input may contain API keys, wallet addresses, prompts with secrets, or other sensitive data, which could then be exposed in console, file logs, or downstream log aggregation systems.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Broad trigger phrases like 'Warden' or 'LangGraph agent' can cause the skill to activate in unrelated contexts, leading the agent to load additional instructions, references, and helper scripts unexpectedly. In an agent skill ecosystem, overbroad activation increases prompt-surface area and can route conversations into workflows that execute tools or generate deployment guidance without sufficient relevance checks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The automatic triggering rules are underspecified and rely on generic phrases without exclusion criteria, which can cause unintended invocation of this skill during benign discussion of Warden, agents, or templates. Because this skill is designed to load instructions, references, and potentially executable helper scripts, accidental activation materially increases the risk of inappropriate tool use, prompt interference, and user confusion in security-sensitive build/deploy flows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick reference includes plaintext environment variable examples for multiple sensitive API keys but does not warn users to keep secrets out of source control, avoid sharing them, or use secure secret management. In a developer-facing setup guide, this omission can lead users to place live credentials into .env files, shell history, screenshots, or committed repos, increasing the chance of credential exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal