ClawHub

Enterprise Legal Guardrails Public

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate local compliance checker, but its wrapper can run outbound commands and may let review-worthy content proceed unless strict mode is enabled.

Install only if you need a local guardrail gate for outbound actions. For real sending, posting, trading, or publishing flows, enable --strict, keep --allowed-command narrow, use --sanitize-env, configure audit logs deliberately, and avoid --allow-any-command except for explicitly approved emergency use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env = _sanitize_env(args.keep_env, args.keep_env_prefix)
        
    try:
        proc = subprocess.run(command, check=False, env=env, timeout=args.command_timeout)
    except FileNotFoundError:
        print(f"Command not found: {command[0]}", file=sys.stderr)
        _append_audit_log(
Confidence
93% confidence
Finding
proc = subprocess.run(command, check=False, env=env, timeout=args.command_timeout)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as enterprise legal/compliance guardrails, but the file is also a command-execution adapter. That mismatch is security-relevant because operators may trust or deploy it as a passive safety control while it actually grants process-execution capability.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The wrapped execution path is broader than the stated purpose and can run whatever binary the caller supplies, subject to configuration. In skill/agent environments, such hidden breadth materially increases risk because a component expected to filter outbound text also functions as a general OS command launcher.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal