ClawHub

Skill Security Vet

Security checks across malware telemetry and agentic risk

Overview

This looks like a real skill-security scanner, but it can automatically quarantine or remove skills and can scan broad local disk areas beyond what the description clearly explains.

Install only if you are comfortable with a security tool that can modify your installed skills. Back up the skill directory first, disable auto-quarantine/auto-remove unless you explicitly want automated remediation, avoid local/full or --auto modes, and use VirusTotal only if you accept storing an API key locally and sending file hashes to VirusTotal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises shell and network-capable behavior via local scanning and VirusTotal integration, but the metadata declares no permissions or equivalent trust boundary information. This is dangerous because users and reviewers cannot accurately assess that the skill may execute local tooling and send data externally, increasing the risk of unreviewed command execution or data exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is limited to auditing installed skills, but the reported behavior expands to scanning the whole machine, modifying local file state, and deleting or quarantining files. That mismatch is dangerous because it conceals materially broader access and destructive capabilities than users would expect, which could lead to system-wide privacy impact or unintended damage.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The implementation exceeds a passive 'security review' role by automatically quarantining/removing other skills, while the advertised VirusTotal cloud-intelligence capability is not present. This mismatch is dangerous because users may grant trust based on the stated purpose, unaware that the tool can take destructive actions against local content.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can modify the local skill set by copying and then deleting skill directories based on heuristic pattern matches. In a skill ecosystem, this is risky because false positives or manipulated scan results can cause loss of functionality or denial of service against other installed skills.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The startup messaging frames the feature as an automatic safety 'check', but the actual workflow can quarantine skills automatically. This is dangerous because it obscures the operational impact of running the tool, undermining informed consent and making destructive behavior more likely to occur unexpectedly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The declared purpose is skill security auditing, but the implementation defines SYSTEM_DRIVES and supports `local`/`full` modes that recursively scan entire system drives. This materially expands the skill's reach beyond the stated scope and increases privacy and safety risk by inspecting arbitrary local files unrelated to skill vetting.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code includes `quarantineFile` and `removeFile`, which can copy, delete, and effectively remove files or directories, despite the skill being described as an audit tool. Destructive remediation is far more powerful than auditing and can cause data loss or disruption if triggered on false positives or broad targets.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
In local/full scan modes, any result marked `danger` can be automatically quarantined or removed from system drives when `--auto` or config-based auto-removal is enabled. Because detection is regex-based and coarse, this creates a serious risk of deleting benign user files or software across the machine without meaningful safeguards.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill stores a VirusTotal API key in a local config file under the user's home directory, which is a credential-handling capability not reflected in the stated purpose. While not inherently malicious, undocumented credential storage increases exposure if file permissions are weak, the config is copied, or other local processes can read it.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes VirusTotal cloud scanning but does not warn that local code, hashes, filenames, or metadata may be uploaded to a third-party service. This is dangerous because skill contents may contain proprietary code, secrets, or sensitive identifiers, and users may unknowingly disclose them to an external provider.

Missing User Warnings

High
Confidence
99% confidence
Finding
The quarantine routine deletes the original skill directory with no user confirmation after copying it to a quarantine location. Even if intended as protection, immediate deletion based on simple regex hits can destroy benign content, break environments, or be abused as a denial-of-service mechanism.

Missing User Warnings

High
Confidence
98% confidence
Finding
When a skill is classified as `danger`, the code immediately quarantines or removes it if auto mode is enabled, without a confirmation prompt at the moment of action. This is dangerous because a heuristic scanner can misclassify content, leading to destructive changes to local data with no last-chance review.

Missing User Warnings

High
Confidence
99% confidence
Finding
In local/full scanning, files on system drives can be automatically quarantined or deleted before the user receives a specific warning for each file. Given the breadth of scan scope and simplistic pattern matching, this can cause widespread unintended file removal on the host system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal