ClawHub

Skill Dashboard

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate skill-management dashboard, but its update and uninstall paths can turn a skill name into a local shell command.

Review before installing or publishing this version. The dashboard purpose is coherent, but it should be fixed to use execFile or spawn with argument arrays, validate skill slugs with a strict allowlist, and keep update/uninstall actions clearly confirmed before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The helper is documented as providing 'safe/constrained' command execution, but it directly passes a string to child_process.exec, which invokes a shell. That makes every current and future caller vulnerable to shell metacharacter injection if any part of the command is influenced by user input or untrusted skill metadata; in this file, skillSlug is later interpolated into update/uninstall commands, increasing the practical risk.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The documented trigger phrases are broad natural-language commands such as “技能控制台”, “我装了哪些技能”, and especially “开发者模式” / “一键巡查”, with no visible scope restrictions, confirmation gating for read actions, or disambiguation rules. This can cause unintended activation during ordinary conversation and expose installed-skill inventory or telemetry-like usage information when the user did not explicitly intend to open the dashboard.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest embeds a high-priority trigger list containing multiple generic phrases and command-like aliases, but it does not define contextual boundaries, role restrictions, or negative matches. Because manifest triggers are what the host may use for routing, overly broad entries increase the chance of accidental invocation and unintended disclosure or manipulation of skill-management functions.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The dashboard inspects installed skills via the ClawHub CLI and reads local usage state, then presents aggregated reporting without any consent prompt, disclosure, or clear indication that local behavioral data is being accessed. In a developer tool this may be expected, but it still creates a privacy issue because usage history and installed-skill inventory can reveal sensitive workflow information and may be exported or shared unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal