ClawHub

macos-suite

Security checks across malware telemetry and agentic risk

Overview

This is a sensitive but coherent macOS automation skill whose local app access, confirmations, Shortcuts fallback, and limited stock-data network calls are mostly disclosed and purpose-aligned.

Install only if you are comfortable granting macOS Automation/app privacy permissions to read Mail, Notes, Calendar, Reminders, Photos, and related apps. Confirm mutating actions deliberately, treat Mail draft creation and Shortcuts-backed commands as sensitive, and be aware that stock quote/history commands contact third-party market-data services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises only OS/app gating metadata but omits any explicit declaration of powerful capabilities while documenting shell execution, file access, environment-variable use, UI automation, and network-backed features. This is dangerous because an agent or reviewer may treat the skill as lower risk than it is, even though it can read local data, invoke external services, open arbitrary URLs/apps, and modify user content.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior materially exceeds the stated purpose: it can send email, fetch remote market data, run Shortcuts workflows, and open arbitrary apps or URLs. This mismatch is dangerous because users and orchestrating agents may approve or invoke the skill under the assumption that it only performs limited local automation, when it actually enables outbound communication, remote access, and broad command-triggered actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
A skill presented as local macOS app automation also includes external data retrieval from a third-party service for stock history. That expands the trust boundary beyond local automation and creates data-flow and integrity risks, because users may not expect network egress or dependency on an external service from the manifest and description.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The external market-data feature is not clearly justified by the stated local automation purpose, which can mislead users about what data leaves the machine and what remote dependencies exist. While not inherently malicious, unjustified scope expansion increases attack surface and reduces informed consent for network activity.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description says it automates macOS apps, but the stocks functionality also performs outbound HTTP/HTTPS requests to external market-data services. That hidden network capability changes the trust boundary and can expose user interest patterns or enable unexpected data egress in environments that only approved local automation.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code will execute any shortcut name supplied via args or environment, and macOS Shortcuts can run arbitrary actions including shell commands, file access, network requests, and automation of other apps. This gives the skill a much broader execution surface than advertised and effectively delegates trust to any locally available shortcut with no allowlist or provenance check.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains many generic everyday phrases like '地图', '照片', '股票', and '写笔记' that are likely to match ordinary user requests and invoke a high-privilege local automation skill unexpectedly. Because the skill has access to an exec-backed entrypoint and can interact with sensitive macOS apps such as Mail, Notes, Calendar, and Photos, accidental activation could expose private data or initiate unintended actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal