ClawHub

Lerwee Alert To Fault Handling

Security checks across malware telemetry and agentic risk

Overview

This alert-remediation skill is understandable, but it needs Review because it can run host scripts and close alerts with weak built-in scoping and it ships an execution log containing operational identifiers.

Install only after reviewing the external fault-handling and lerwee-api helpers, removing the bundled execution log, and limiting the connected account to approved hosts, scripts, and alert actions. Operators should require explicit confirmation before execution or alert closure and verify that logs are protected and rotated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]

        # 执行脚本
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
89% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, cwd=FAULT_HANDLING_DIR )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def close_alert(eventid, message="脚本执行成功,自动关闭告警"):
    """关闭告警"""
    try:
        result = subprocess.run(
            ['bash', LERCLEE_API_DIR / 'lerwee-api.sh', 'alert', 'problem-ack',
             json.dumps({
                 'eventid': eventid,
Confidence
87% confidence
Finding
result = subprocess.run( ['bash', LERCLEE_API_DIR / 'lerwee-api.sh', 'alert', 'problem-ack', json.dumps({ 'eventid': eventid, 'action

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it recommends fault-handling actions, but the implementation also closes alerts through an external API. That mismatch is security-relevant because hidden state-changing behavior can be abused to conceal problems or bypass expected operator review in incident workflows.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including an alert-closing capability extends the skill beyond recommendation into incident-state manipulation, which is not justified by the stated purpose. In security operations, such scope creep is dangerous because it can silence or prematurely resolve alerts, reducing detection and accountability.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger condition is overly broad: any conversation containing an eventid, IP, or alert name can activate the workflow if other loose matches occur. In a chat-driven operational setting, this can cause accidental script recommendations or execution prompts on unrelated messages, increasing the chance of social engineering, operator confusion, or unintended remediation actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script persists execution records to a local JSON file that may include host IPs, user identifiers, event IDs, and potentially output or error content, but it applies no access controls, redaction, retention limits, or user notice. In an alert-handling workflow, these fields can expose operationally sensitive infrastructure and user activity data to other local users, backups, or downstream tooling that reads the log file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal