ClawHub

lin

Security checks across malware telemetry and agentic risk

Overview

This skill does not look intentionally malicious, but it needs review because it stores URL query data in MySQL with weak scoping and unsafe dynamic SQL behavior.

Install only if you intend to save URL query parameters into a dedicated MySQL database. Use a low-privilege database user, avoid URLs containing tokens or personal data, and prefer a fixed schema or strict parameter allowlist before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises behavior that requires environment access and network/database interaction, but it declares no corresponding permissions. This creates a transparency and policy-enforcement gap: operators may approve or invoke the skill without understanding that it can access credentials from the environment and write URL-derived data to an external MySQL service.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description understates the skill's persistence behavior by not clearly warning that user-supplied URL parameters are written into MySQL and that the table may be created automatically. Because URL parameters often contain tokens, IDs, and other sensitive data, this can lead to inadvertent storage of secrets or schema changes without informed consent from the operator.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script persists user-supplied URL query parameters to a database without validation, minimization, or any warning that the data will be stored. URL parameters often contain secrets, tokens, email addresses, or tracking identifiers, so this can cause unintended retention of sensitive data and expand the blast radius if the database is later accessed or compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal