ClawHub

Enterprise Legal Guardrails Public

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local legal guardrail, but its wrapper can execute outbound commands after only a review warning and has a broad allow-any override that users should review carefully.

Install only if you need a command-wrapping outbound guardrail, not just a passive checker. For real posting, email, messaging, or publishing workflows, enable --strict, use a narrow --allowed-command list, avoid --allow-any-command in normal use, enable --sanitize-env with explicit keep lists, and verify the GitHub source before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
command_ms = None
    command_start = time.perf_counter()
    try:
        proc = subprocess.run(command, check=False, env=env, timeout=args.command_timeout)
        command_ms = int((time.perf_counter() - command_start) * 1000)
    except FileNotFoundError:
        msg = f"Command not found: {command[0]}"
Confidence
93% confidence
Finding
proc = subprocess.run(command, check=False, env=env, timeout=args.command_timeout)

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The guardrail can be disabled entirely via environment flags or bypassed for selected apps through scope settings, causing the tool to return PASS without analyzing outbound content. In a system that relies on this skill as a pre-publish safety control, misconfiguration or adversarial control of runtime settings can silently eliminate legal/compliance review and allow risky content to be sent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The advertised purpose is legal/compliance filtering, but the implementation is also a command-execution adapter. That mismatch increases risk because operators may deploy or trust the skill as a passive guardrail while it actually has the capability to launch external processes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code provides an explicit bypass that permits any command to run when a reason string and approval token are present, but these are only checked for presence/format and can come from CLI or environment variables. That means the central safety control—the command allowlist—can be programmatically disabled without cryptographic verification or trusted external authorization.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The test suite confirms that the adapter can execute arbitrary wrapped commands, including explicit bypass modes such as --allow-any-command. For a skill described as legal/compliance guardrails for outbound actions, validating broad command-execution behavior materially expands the trusted capability surface beyond content review and makes misuse of the skill more dangerous if exposed to untrusted inputs or agents.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
This file exercises a design where a legal/compliance guardrail adapter also executes arbitrary subprocesses and supports policy bypass through an unsafe escape hatch. In context, that coupling is dangerous because a guardrail-branded skill may be granted trust while actually acting as a command runner, increasing the chance of abuse, privilege misuse, or accidental execution of unintended actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal