ClawHub

Resource 2 NAS

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned, but it requires powerful cloud-drive and NAS credentials and should only be used with accounts and storage you trust it to manage.

Before installing, treat the configured cookies and OpenList token as full account credentials. Use a dedicated or low-privilege OpenList token if possible, keep .env out of commits, avoid custom API bases/proxies unless you trust them, and require confirmation before any save, copy, cancel, raw_url download, or link-check operation involving private links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This section materially expands the skill from search/save/verify/copy orchestration into direct server-side downloading using freshly obtained OpenList raw URLs and shell `curl` commands. That creates a broader file-transfer capability than the manifest suggests, enabling arbitrary content retrieval onto server or NAS storage and increasing the chance of unintended data movement or abuse if an agent follows these instructions automatically.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documented flow shows how to turn OpenList `fs/get` responses into fresh `raw_url` values and then download content with shell commands to mounted storage. Even if intended for media backup, this is effectively a general-purpose server-side download primitive that could be reused to fetch arbitrary files through the agent, beyond the clearly stated search/save/copy purpose.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends raw cookie values from environment variables to remote provider endpoints in the HTTP Cookie header to validate them. While that is functionally necessary for cookie checking, the file provides no explicit user-facing consent or warning at the point of transmission, which matters because these are highly sensitive session credentials and this skill is specifically designed to handle third-party account cookies.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The default_prompt defines very broad triggers such as 'when the user searches media' and also allows implicit invocation, which can cause the skill to activate for loosely related requests without clear user intent. Because this skill performs actions involving cloud saves, task inspection, and NAS/OpenList copy operations, unintended invocation could lead to unnecessary handling of external links or storage operations in a higher-risk context than a purely informational skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When --check-links is used, the script sends discovered share URLs, extraction codes, and optional view/proxy tokens to a remote API endpoint. In this skill's context, those values can grant access to user resources or expose sensitive infrastructure details, and the file provides no inline consent prompt, redaction, or trust boundary enforcement before transmission.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal