ClawHub

zadig

Security checks across malware telemetry and agentic risk

Overview

This Zadig DevOps skill is mostly purpose-built, but it exposes a powerful API token and uses an unsafe shell command path that needs review before installation.

Install only if you trust the publisher and need agent access to Zadig. Use a dedicated least-privilege Zadig token, configure HTTPS only, require explicit confirmation before deletes/deployments/approvals/cluster or user changes, and avoid the service-log helper until it is rewritten without shell execution and without exposing the token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill spawns a local shell command (`curl`) to retrieve logs and interpolates URL components plus the bearer token directly into the command string. This expands the attack surface beyond a normal API client: shell metacharacter injection becomes possible if any path/query component is attacker-controlled, and the token may be exposed through process listings, shell diagnostics, or child-process telemetry.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The code comments imply environment-management helpers, but instead the export surface includes a `config` object that exposes the raw API key to any consumer of the module. Exporting secrets unnecessarily increases the chance of accidental disclosure through logging, debugging, serialization, or downstream tool introspection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place a long-lived API token in a local environment file but does not warn that the token is sensitive, should not be committed, and should be protected like a password. In an agent/skill context, this increases the chance of credential leakage through source control, logs, screenshots, shell history, or shared workspaces, which could allow unauthorized access to the Zadig platform.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises impactful capabilities such as deleting projects, triggering workflows, and updating images without any caution about production impact, authorization requirements, or safe-use guidance. In a DevOps skill, normalizing these operations without warnings can lead users or agents to run disruptive actions against real environments, causing outages, unintended deployments, or data loss.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The exported `config` object includes the live bearer token, making secret exfiltration trivial for any caller that can import or inspect the skill. In agent ecosystems, tool metadata and return values are often logged or surfaced to other components, so exposing the token materially increases compromise risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bearer token is placed directly on the `curl` command line, where it can be visible to local users via process inspection tools and may leak into command auditing, crash reports, or monitoring systems. Combining this with shell execution also magnifies the blast radius of any injection or debugging exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal