ClawHub
Back to skill

Security audit

Security Sentinel Ultimate

Security checks across malware telemetry and agentic risk

Overview

This is a local Python skill-directory scanner that reads files under a user-provided folder and reports findings without modifying files or sending data out.

Install if you want a local scanner for Python skill directories. Point it only at folders you intend to inspect, especially if repositories may contain secrets, because the report can surface secret-like values in masked form and list hidden files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions, but its documented execution invokes a local Python scanner over an arbitrary path and the skill description indicates file reading, network-related detection logic, and shell-capable analysis targets. This mismatch is risky because consumers and policy systems may underestimate the skill's effective capabilities, reducing transparency and allowing broader access than expected.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal