ClawHub

Lerwee API Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Lerwee API integration, but it exposes broad administrative and remote-control capabilities with weak safety guidance and insecure example credential handling.

Install only if you control the target Lerwee environment and can use least-privilege credentials. Replace the hardcoded HTTP private IP with a trusted HTTPS endpoint, remove and rotate any credential resembling the examples, and require explicit human confirmation before deletes, user/role changes, agent install or uninstall, file operations, alert closure, CMDB/network changes, or script execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented `/automation/script-exec` capability enables arbitrary script execution on remote hosts, which is materially more dangerous than ordinary monitoring or read-only API integration. In an agent skill context, exposing this without strong scope limitation, approval gates, and safety guidance creates a high-risk pathway to remote command execution and broad infrastructure compromise.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Remote host script execution is context-inappropriate for a monitoring integration because it grants active control over managed systems rather than passive observability. In an agent setting, this capability can be abused to run destructive commands, deploy malware, exfiltrate data, or pivot laterally across hosts.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
The documented API includes remote script execution, file upload, and file distribution operations, which materially increase the blast radius of the skill beyond passive monitoring. In an agent context, exposing these capabilities without strong scoping, warnings, and approval controls can enable destructive remote actions on managed hosts if the skill is invoked with privileged credentials.

Context-Inappropriate Capability

High
Confidence
86% confidence
Finding
User, department, and role administration endpoints are privileged control-plane functions unrelated to a narrowly described monitoring integration. In a skill environment, exposing identity and authorization management expands the attack surface and could allow unauthorized account creation, privilege changes, or deletion if the agent is over-permissioned or misused.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README contains a concrete admin username and password in plaintext configuration, which can be copied into deployments, leaked through source control, or reused against a real internal Lerwee instance. In the context of an API integration skill for monitoring and agent management, exposed admin credentials are especially dangerous because they may grant broad access to infrastructure, alarms, hosts, and user management functions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation advertises destructive and high-impact operations such as create, update, delete, close, uninstall, and script execution without any safety guardrails, confirmation requirements, or warnings about irreversible effects. In an agent setting, this materially increases the chance of accidental destructive actions against production monitoring infrastructure and managed endpoints.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation includes a request example containing what appears to be a real app token and derived signature material. Even if illustrative, publishing credential-like values normalizes unsafe handling of secrets and may expose usable credentials if they are not fictitious, enabling unauthorized API calls such as alert recovery or other signed operations.

Missing User Warnings

High
Confidence
95% confidence
Finding
Documenting arbitrary remote script execution without any warning understates the operational and security risk of the endpoint. In an agent skill, this omission makes unsafe use more likely and can normalize high-risk actions that may damage systems or enable compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation enumerates destructive and remote-action endpoints such as delete, uninstall, script execution, upload, and file distribution without any cautionary guidance, constraints, or confirmation requirements. In an agent-operated skill, lack of warnings and safety framing increases the likelihood of accidental misuse and socially engineered execution of high-impact actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The user creation and update methods accept and transmit raw account passwords, and the client does not enforce secure transport. Because the example configuration uses plain HTTP and the request helper posts JSON directly, credentials could be exposed to interception or disclosure if the client is misconfigured or reused in insecure environments.

External Transmission

Medium
Category
Data Exfiltration
Content
print(response.json())
```

### cURL 示例

```bash
# 获取监控对象列表
Confidence
89% confidence
Finding
cURL 示例 ```bash # 获取监控对象列表 curl -X POST "http://192.168.1.79:8081/api/v6/monitor/host-list" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal