ClawHub

Nanchang Jbl

Security checks across malware telemetry and agentic risk

Overview

The skill itself is a coherent paint-store customer service assistant, but its installers add persistent daily auto-updates from GitHub without clear opt-in.

Install only if you are comfortable with the repository receiving recurring execution through cron or Windows Task Scheduler. Prefer the ClawHub install path or a manual reviewed install, and remove or disable the auto-update task if you do not want daily remote updates. The skill content itself appears limited to customer-service guidance and local reference lookup; no exfiltration, credential theft, or destructive behavior beyond replacing its own skill directory was found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README instructs users to fetch and immediately execute remote scripts via shell and PowerShell, which creates a supply-chain and arbitrary code execution risk. This is unrelated to the stated customer-service function of the skill and increases danger because users may trust the project and run the commands without reviewing the script contents.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer creates a daily scheduled task that automatically executes PowerShell and performs a git pull, introducing persistence and recurring code execution unrelated to a paint/customer-service skill's stated purpose. This expands the trust boundary from one-time installation to indefinite remote-updatable execution, increasing supply-chain and persistence risk if the repository or update path is ever compromised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Registering a scheduled task gives the skill persistent execution capability on the host, which is disproportionate for a storefront FAQ/product recommendation skill. Because the task runs PowerShell to fetch and apply remote repository changes, an attacker controlling the repo, dependency chain, or local path could gain repeated execution opportunities without further user interaction.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer establishes a persistent daily cron job that continues modifying the system after installation, which exceeds the stated purpose of installing a paint-store customer-service skill. Persistent auto-update mechanisms create an ongoing trust channel to a remote repository, so any future repository compromise or malicious update will be executed automatically on the user's machine.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Modifying the user's crontab changes system scheduler state for functionality unrelated to the skill's advertised customer-service purpose. This is dangerous because it silently grants the repository recurring execution opportunities, creating persistence and a durable supply-chain risk if the remote source is altered.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger keywords are very broad everyday terms related to home improvement, which can cause the skill to activate in unrelated conversations and collect or influence interactions unexpectedly. In a retail/customer-service skill, overbroad activation increases the chance of unintended invocation, misrouting, and privacy issues if user queries are processed without clear intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README presents piped remote-install commands without any warning that they execute downloaded code immediately, which normalizes unsafe behavior and exposes users to arbitrary code execution if the source or distribution channel is compromised. Because this is presented as a recommended installation path, less technical users are especially likely to run it blindly.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill advertises recommending nearby stores based on customer location but does not disclose how location is obtained, used, stored, or consented to. In a customer-service context, silent or poorly documented location handling can create privacy and compliance risks, especially if precise location data is processed unnecessarily.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger keyword list includes very broad everyday terms such as '油漆', '涂料', '装修', and '刷墙', which can cause the skill to activate in conversations that are only loosely related or not intended for this merchant. Unintended activation can override a user's preferred assistant behavior, steer them into commercial recommendations, and increase the chance of irrelevant or manipulative responses in benign conversations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The short-keyword table uses ambiguous one-word triggers like '地址', '价格', '推荐', '优惠', '施工', and '正规', which are common across many unrelated user tasks. This makes accidental routing highly likely and could cause the assistant to inject store-specific sales guidance into unrelated conversations, reducing reliability and creating a prompt-routing integrity issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer force-removes any existing skill directory and then creates a persistent scheduled task without prompting or warning the user. This combination can overwrite local content and establishes ongoing automated behavior, making unintended system changes and persistence more dangerous, especially when delivered as a one-line remote install command.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer deletes the existing skill directory with rm -rf without warning, confirmation, or backup. If the path contains local changes, user data, or is unexpectedly set, this can cause irreversible data loss and makes the installer unsafe to run unattended.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script modifies the user's crontab without explicit warning or consent, adding persistence that most users would not expect from a simple skill installer. Silent scheduler changes are dangerous because they create recurring remote-code retrieval behavior and reduce the user's ability to make an informed trust decision.

Ssd 3

Low
Confidence
93% confidence
Finding
The document exposes an internal Wi‑Fi SSID in a broadly accessible business reference file. While an SSID alone is not equivalent to a password, publishing internal network identifiers can aid reconnaissance, help attackers identify the correct network to target for phishing or rogue access point attacks, and unnecessarily discloses operational details unrelated to most customer interactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal