ClawHub

Remote Disk Mount

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but its SMB instructions can expose or leave behind passwords while using privileged system commands.

Review this skill before installing. Use it only if you are comfortable approving sudo commands, install only the package needed for your chosen protocol, avoid giving the agent reusable passwords, prefer SSH keys or interactive prompts, and remove any SMB credential file immediately after it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims it avoids plaintext passwords on the command line, but the SMB example injects the password into a shell command via `echo "password=$PASSWORD" | sudo tee ...`. This can expose secrets through shell history, agent logs, process context, or accidental command rendering, and it normalizes unsafe secret handling despite the stated guidance.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo apt install smbclient cifs-utils -y

# FTP
sudo apt install curlftpfs -y

# SFTP
sudo apt install sshfs -y
Confidence
80% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
sudo apt install curlftpfs -y

# SFTP
sudo apt install sshfs -y

# WebDAV
sudo apt install cadaver davfs2 -y
Confidence
80% confidence
Finding
sudo

Chaining Abuse

High
Category
Tool Misuse
Content
**Credential file method:**
```bash
# 1. Create credential file
echo "username=$USERNAME" | sudo tee /root/.smbcredentials
echo "password=$PASSWORD" | sudo tee -a /root/.smbcredentials
sudo chmod 600 /root/.smbcredentials
Confidence
95% confidence
Finding
| sudo

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# 1. Create credential file
echo "username=$USERNAME" | sudo tee /root/.smbcredentials
echo "password=$PASSWORD" | sudo tee -a /root/.smbcredentials
sudo chmod 600 /root/.smbcredentials

# 2. Mount
Confidence
95% confidence
Finding
| sudo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal