ClawHub

Ai Test Case Generator

Security checks across malware telemetry and agentic risk

Overview

The skill performs its stated test-case generation role, but its Excel export workflow automatically sends generated content to an external HTTP service without a clear consent step or secure transport.

Review before installing. Use the Markdown generation locally, but avoid the automatic Excel conversion for confidential requirements unless you trust the listed service and network path. Prefer a local converter or a validated HTTPS service, and do not upload internal product, customer, financial, or unreleased feature details without approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill goes beyond generating test cases and instructs the agent to execute shell/Python commands and perform external network requests to a remote service. This creates unnecessary capability expansion and can exfiltrate potentially sensitive requirement or test data, especially because the transmitted content is the full generated Markdown.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation explicitly recommends insecure transport behavior: using plain HTTP instead of HTTPS and disabling certificate validation with curl -k / verify=False. This enables man-in-the-middle tampering and interception of uploaded test content and returned download links.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill mandates automatic transmission of generated Markdown test cases to a remote API without explicit user warning or consent. Test cases derived from requirements often contain confidential business logic, internal workflows, product plans, or customer-specific details, so silent upload materially increases data leakage risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal