ClawHub

Skill Guardian

Security checks across malware telemetry and agentic risk

Overview

Skill Guardian is a disclosed skill-management automation tool, but it can automatically change installed skills while its advertised security vetting is only a placeholder.

Install only if you are comfortable with a tool that can maintain and update your skill collection for you. Do not enable cron or auto-run until the vetting logic is fixed to enforce real scanner results, and prefer manual or dry-run update review for each skill change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"📋 {description}")
    print('='*50)
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            capture_output=False,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=False, text=True, timeout=300 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs users to run Python scripts, install packages, edit crontab, and invoke automation that can modify the local skill collection, which implies shell execution and file writes. However, the skill metadata shown in this file does not declare corresponding permissions or clearly warn about those capabilities, creating a trust gap where users may approve a skill without understanding its effective access.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The function claims to perform security vetting, but it ignores the subprocess result entirely and always returns a hardcoded passing status with trust_score 80 unless the subprocess crashes. This means untrusted or malicious skills can be marked as vetted and admitted to the pending queue, undermining the main security boundary advertised by the skill.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The top-level description promises 'security vetting and pending period,' but the implementation performs only a superficial placeholder check. This creates a false sense of security for operators, increasing the likelihood that risky skills are onboarded because users believe meaningful vetting already occurred.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes automatic promotion of pending skills and automatic application of updates to the user's skill collection, including immediate updates for "high-trust" skills, without a strong explicit warning that this changes installed software over time. That is dangerous because a compromised trusted source, bad trust scoring, or logic error could silently introduce new code into the user's environment with little visibility.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# Edit crontab
crontab -e

# Add these lines
0 8 * * * cd /path/to/workspace && python3 skills/skill-guardian/scripts/auto_run.py
Confidence
88% confidence
Finding
crontab -e

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal