ClawHub

Clawd Throttle

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it claims, but its optional HTTP proxy can let unauthenticated callers use your configured LLM provider accounts if it is enabled.

Install only if you are comfortable sending prompts to the configured LLM providers and storing provider credentials locally. If you use HTTP proxy mode, run it only on a trusted machine/network, prefer localhost-only containment, and do not expose the port publicly without adding your own access controls. Treat get_config and set_mode as administrative tools because they reveal routing setup and can persistently change routing behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill requires environment variables for multiple API keys and clearly performs outbound requests to third-party model providers, yet the skill declares no explicit permissions. This creates a transparency and review gap: users may install or run a networked, credential-consuming skill without an accurate permission boundary, increasing the chance of unintended data exposure or over-trusting the package.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose frames the skill as a simple router, but the observed behavior includes running proxy/MCP servers, exposing configuration and logs, accepting runtime mode changes, and translating requests across provider formats. That mismatch is security-relevant because users may authorize or deploy the skill expecting limited behavior while it actually exposes additional attack surface, including local service exposure, sensitive metadata disclosure, and request-manipulation pathways.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The get_config tool exposes broad administrative configuration details, including enabled providers, base URLs, auth types, logging settings, and classifier thresholds, to any caller with tool access. Even though API keys are redacted, this still leaks internal topology and operational settings that can aid targeted abuse, provider fingerprinting, or follow-on attacks against the deployment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The set_mode tool allows runtime mutation of global routing behavior and persists that change via saveConfig, meaning any caller with access can alter future request handling for all users. This can be abused to force expensive models, degrade quality, or manipulate downstream data exposure patterns, creating both financial and operational risk beyond the stated routing role.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is specifically designed to forward prompts to external LLM providers, but the description does not clearly warn users that their prompt contents will be transmitted off-host. Even if prompt bodies are not stored locally, undisclosed third-party transmission can expose sensitive user data, regulated information, or proprietary prompts to external processors under differing retention and policy regimes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The route_request tool forwards user messages and optional system prompts to external model providers selected from multiple third parties, but the file shows no consent, warning, or policy check before transmission. In a routing skill spanning many providers, this increases privacy and data-governance risk because sensitive prompts may be sent off-box or to a different vendor than the user expects.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The set_mode tool persists configuration changes to disk with saveConfig without making that side effect clear in the tool contract. Hidden persistence is dangerous because callers may believe they are making a temporary runtime adjustment when they are actually changing future system behavior across restarts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal