ClawHub
Back to skill

Security audit

analysis-toolkit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate analysis toolkit, but it understates that it can open a network-reachable config server and persistently modify local templates and Python code.

Install only after reviewing the write and server features. Avoid running the configuration panel on untrusted networks unless it is changed to bind localhost only and protected; do not allow generated operators to be written into Python files without human code review; treat CDN-backed reports as non-offline artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill metadata declares no sensitive permissions, yet the described capabilities indicate file read/write and local networking behavior. This creates a trust boundary mismatch: an agent or reviewer may treat the skill as low-risk while it can modify local files, persist configuration, generate outputs, and potentially expose a local HTTP service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents the skill as a data-analysis toolkit, but the behavior includes template management, registry mutation, local HTTP serving, report export, and even code-generation/self-modification features. This mismatch is dangerous because users may supply data expecting passive analysis while the skill can alter code/configuration, expand persistence, and create new execution paths outside the advertised scope.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The document explicitly allows replacing a search hook with a function that performs联网搜索, which expands the skill from local analysis into external data retrieval. In an agent setting, this can enable unbounded network access, retrieval of untrusted content, and downstream use of externally sourced standards without clear trust, validation, or authorization controls.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The standard search chain and auto-register flow introduce autonomous standards discovery plus automatic persistence into a registry, which materially broadens the skill’s behavior beyond calculation support. If an agent uses this flow, untrusted or low-quality search results can be persisted and later reused as authoritative inputs for calculations, creating a poisoning and integrity risk.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
L460-L465 的文档将该函数描述为“F 分布单尾 p 值计算”,并给出 p = I(...) 的公式;但在 L477-L479 中,代码先计算 betainc(a, b, x) 后又返回 1.0 - p。也就是说,注释所写公式与实际实现存在直接矛盾,这会误导调用者对 p 值含义的理解。

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This function generates Python source code from externally supplied fields such as operator_name, parameters, expression, and target_file, then writes it into the skill’s codebase and registers it for later use. In a quality-control/data-analysis toolbox, runtime source-code generation and persistence materially expands the attack surface and can enable arbitrary code injection, persistence, and tampering if any upstream input is influenced by an LLM or user data.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The module appends new function definitions directly into Python modules and later also rewrites module metadata and tests, giving the skill self-modifying behavior. That capability is unjustified by the stated business purpose and is dangerous because it allows codebase mutation, persistence of injected logic, and corruption of trusted modules if abused or incorrectly invoked.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The pipeline executes callables selected by a string target via dynamic import and attribute lookup, allowing a pipeline author to invoke arbitrary internal functions under the scripts package. In a skill context where pipeline definitions or step targets may be influenced by users, configs, or other components, this becomes a powerful execution primitive that can reach non-analysis code, trigger side effects, read/write data, or bypass intended workflow restrictions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation says step:post checks unreasonable outputs, but when a dict contains a float NaN the hook returns block=False instead of stopping execution. That allows invalid numeric state to propagate into later steps or reports, which can silently corrupt quality-control calculations and downstream decisions in this analysis-focused skill.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The bias verifier claims to recompute bias from underlying data, but in practice it only looks for a reference value in context and then returns success with diff_pct=0. In a quality-control verification engine, this can silently bless incorrect or manipulated bias results, undermining trust in downstream pass/fail decisions and potentially allowing bad analytical results to be accepted.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`verify_all_by_approximation()` calls `verify_by_approximation(func, args, kwargs, name=name)`, but the callee signature is `(func, args, kwargs=None, result=None, name='')`. This means the explicit operator name is not passed as the fourth positional argument, but more importantly any future positional use here is fragile; the current implementation relies on keyword use and the static finding indicates a documented/behavioral mismatch around returning per-operator verification results. In a quality-control validation toolkit, incorrect aggregation or mislabeled validation outputs can cause users to trust the wrong result, undermining verification integrity.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The renderer injects a script tag for Chart.js from a third-party CDN, so opening the generated report causes the viewer's environment to fetch and execute remote JavaScript. That creates a supply-chain and privacy risk because report viewing now depends on external infrastructure that could be unavailable, tampered with, or used to observe access to local reports.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code adds external network-dependent behavior at report-view time by loading and executing third-party JavaScript in the generated HTML. In a data-analysis toolkit that otherwise appears local/offline, this expands the trust boundary and can leak report access metadata or enable compromise if the external dependency is malicious or altered.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The report engine conditionally injects a script tag that loads Chart.js from a third-party CDN at render time. This creates an unnecessary external dependency for a local reporting component and exposes users to supply-chain, privacy, and availability risks if the CDN is compromised, blocked, or modified.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The startup text tells users to open 127.0.0.1, but the server actually binds to 0.0.0.0, exposing the configuration panel on all network interfaces. Because the panel can modify local JSON templates and trigger service shutdown actions without authentication, this mismatch can cause users to believe the tool is localhost-only when it is remotely reachable on the LAN.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This file starts an unauthenticated HTTP service reachable over the network and exposes endpoints that read configuration and write directly to local template JSON files. In the context of an analytics toolkit, a network-accessible mutable admin surface is higher risk because it can let other local-network users or malicious web pages alter processing behavior, reports, or operating defaults without authorization.

Vague Triggers

Medium
Confidence
76% confidence
Finding
Overly broad trigger terms increase the chance that the skill activates in contexts where the user did not intend to invoke it. In a skill with write, template, and possible server-side capabilities, accidental activation raises the risk of unintended file changes, report generation, or administrative actions being proposed or executed.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The positive trigger examples include broad natural-language requests that could match ordinary analytical conversations. Because this skill appears to include nontrivial side effects beyond pure computation, loose activation conditions can route users into a more privileged workflow than expected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function performs automatic code generation, file mutation, __all__ updates, and registry registration without any visible confirmation, warning, or review gate. Even if intended for convenience, silent source mutation increases the chance of accidental or malicious persistence and makes it easier for unsafe LLM-produced content to be committed into trusted code paths.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This append path writes arbitrary function code directly into an existing Python source file with no sanitization, code review step, or safety prompt. The risk is not merely lack of disclosure; combined with externally derived func_code, it can persist malicious or malformed code into trusted modules and affect later imports/execution.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The module rewrites the target Python file in place to update __all__, which is another form of silent source mutation. By itself this is lower impact than arbitrary code injection, but it still modifies trusted source automatically and can break module integrity or hide unauthorized additions in normal maintenance flows.

Missing User Warnings

Low
Confidence
74% confidence
Finding
Automatically editing self_test.py without disclosure is a weaker but real integrity issue because it mutates trusted project files and can normalize unauthorized generated functionality by adding tests around it. This can make malicious or erroneous additions appear legitimate and complicate auditing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The generated HTML can trigger a network fetch for Chart.js when a user opens the report, but the function provides no disclosure that viewing the report is no longer fully local. This is dangerous because users may open sensitive reports expecting an offline artifact, while their client contacts a third party and executes remote code in the browser context.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The UI advertises a simple save action, but the backend persists changes immediately into template JSON files that affect future behavior. Without a clear warning, confirmation, or audit trail, users may unintentionally make lasting changes, and when combined with the exposed HTTP service this increases the chance of silent unauthorized or accidental reconfiguration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal