ClawHub

Codespace Manager

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate codespace manager, but it needs review because it can expose browser IDEs publicly, stores/prints passwords, and lets unsafe names affect host filesystem paths.

Review before installing. Use only simple safe codespace names, set a strong unique password before creating or starting any environment, avoid putting sensitive tokens in these workspaces, do not share terminal output containing URLs or passwords, and inspect or pin the Dockerfile installers if reproducibility or supply-chain control matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly instructs the agent to run shell commands such as building Docker images and managing containers, but it does not declare corresponding permissions. This creates a transparency and policy gap: users and the platform may not realize the skill can execute host-level operations with meaningful side effects, including network exposure and destructive deletion.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The description includes broad trigger phrases like remote development, dev environment, and cloud IDE, which can match many generic coding requests. Over-broad activation can cause the wrong skill to be selected and lead to unexpected shell execution, container creation, network exposure, or data handling beyond what the user explicitly requested.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises browser access via Cloudflare Tunnel but does not prominently warn that this exposes a service outside the local host and may make the IDE reachable from a public URL. In this context, omission of an explicit exposure/privacy warning is risky because users may place source code, secrets, or private repos into a workspace they assume is only locally accessible.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Dockerfile downloads and immediately executes remote install scripts from bun.sh, astral.sh, and opencode.ai during image build. This creates a supply-chain risk because any compromise of those endpoints, DNS/TLS trust, or the scripts themselves would result in arbitrary code execution as root inside the build context and could backdoor the resulting image.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script stores each codespace password in plaintext inside .codespace.json, and also stores the default password in plaintext in CODESPACE_BASE/.default_password. Any local user, backup system, or process with filesystem access can recover credentials and use them to access exposed code-server instances, especially because the same script also publishes them via Cloudflare Tunnel.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Starting a codespace automatically creates a public trycloudflare.com tunnel to a local code-server instance, which exposes a development environment to the internet. Although password auth is enabled, the script does not require explicit confirmation, does not restrict source IPs, and even prints the access password to the terminal, making accidental exposure much more likely in this skill context.

Ssd 3

Medium
Confidence
93% confidence
Finding
The documentation normalizes exposing a browser IDE over a public temporary tunnel and then advises users to add provider keys inside that workspace. Combining public remote access with credential placement materially increases the risk of secret theft, account compromise, and downstream supply-chain abuse if the tunnel URL or workspace is accessed by an unauthorized party.

External Script Fetching

High
Category
Supply Chain
Content
# System essentials
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl git wget unzip ca-certificates build-essential \
    && rm -rf /var/lib/apt/lists/*

# Bun (latest)
Confidence
95% confidence
Finding
curl git wget unzip ca-certificates build-essential \ && rm -rf /var/lib/apt/lists/* # Bun (latest) RUN curl -fsSL https://bun.sh/install | bash

External Script Fetching

Low
Category
Supply Chain
Content
&& rm -rf /root/.bun

# uv (latest)
RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
    && mv /root/.local/bin/uv /usr/local/bin/ \
    && mv /root/.local/bin/uvx /usr/local/bin/ \
    && rm -rf /root/.local
Confidence
93% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

External Script Fetching

High
Category
Supply Chain
Content
&& rm -rf /root/.local

# OpenCode (latest)
RUN curl -fsSL https://opencode.ai/install | bash \
    && find /root -name opencode -type f 2>/dev/null \
    && cp /root/.opencode/bin/opencode /usr/local/bin/opencode || true
Confidence
96% confidence
Finding
curl -fsSL https://opencode.ai/install | bash

External Script Fetching

High
Category
Supply Chain
Content
# System essentials
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl git wget unzip ca-certificates build-essential \
    && rm -rf /var/lib/apt/lists/*

# Bun (latest)
Confidence
95% confidence
Finding
wget unzip ca-certificates build-essential \ && rm -rf /var/lib/apt/lists/* # Bun (latest) RUN curl -fsSL https://bun.sh/install | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal