ClawHub

ChipChain

Security checks across malware telemetry and agentic risk

Overview

ChipChain is a disclosed semiconductor supply-chain research skill with broad but purpose-matched web/API research behavior; its main caution is optional verification scripts that may install Python packages when run.

Install is reasonable if you want a research-heavy semiconductor supply-chain assistant. Expect it to use web searches, external databases, declared API keys, and sub-agents for complex questions. Review before running scripts under scripts/, because they can install Python packages such as requests, yfinance, and pykrx and write local verification reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
        pip_name = pip_name or name
        print(f"Installing {pip_name}...")
        subprocess.check_call([sys.executable, "-m", "pip", "install", pip_name])
        __import__(name)
Confidence
96% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", pip_name])

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly instructs the agent to read many local files, perform broad web and API searches, spawn sub-agents, and use external data sources, which is consistent with file, network, and possibly shell-like capabilities despite no declared permissions. That mismatch is dangerous because operators and policy layers may underestimate what the skill can access or do, and the skill's broad investigative workflow increases the chance of unintended data access, unreviewed outbound requests, or unsafe tool use.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The helper adds runtime dependency installation via pip, which is unrelated to simple report generation and markdown extraction and materially expands the skill's capabilities. In the context of an agent skill, this is dangerous because it enables external package retrieval and code execution paths at run time, increasing supply-chain risk and making behavior less predictable and auditable.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README states that the skill 'triggers on semiconductor supply chain questions automatically' without defining clear scope limits or explicit non-trigger conditions. Overly broad auto-activation can cause the skill to engage in contexts the user did not intend, increasing the chance of unnecessary web access, tool use, or interference with unrelated tasks in an agent environment.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger condition is very broad, covering general questions about suppliers, materials, dependencies, chokepoints, and discovery, which can cause the skill to activate for many ordinary research prompts. In combination with the skill's aggressive search-first and multi-agent instructions, overbroad invocation can lead to unnecessary external lookups, excess data exposure, or users being routed into a higher-risk workflow than intended.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The workflow is triggered by very broad question patterns like 'Who else makes X?' and 'Are there suppliers we're missing?' without requiring explicit user authorization, scope checks, or investigative constraints. In an intelligence-gathering skill, this can cause the agent to initiate expansive supplier discovery from ordinary exploratory phrasing, increasing the risk of over-collection, unintended surveillance-style research, or use outside a narrowly defined task.

Vague Triggers

Low
Confidence
80% confidence
Finding
The instruction to use this workflow 'any time you feel too confident about a concentration claim' introduces a subjective, proactive trigger that is not tied to concrete user requests or policy checks. This makes the workflow easier to invoke speculatively, which can expand research activity beyond the original ask and weaken operator control over when broad discovery should occur.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Auto-installing missing packages with only a console message does not provide meaningful notice, consent, or safety controls before executing a package manager subprocess. This creates a silent trust boundary violation: users may run the skill expecting passive analysis, but the code can modify the environment and fetch unreviewed code from external sources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal