ClawHub

SSL + Nginx Setup

Security checks across malware telemetry and agentic risk

Overview

This SSL setup skill is mostly legitimate, but it includes production server changes with a risky HSTS preload default and incomplete API-token handling guidance.

Review every command before running it on a production server. Do not use the provided HSTS preload header unless you have explicitly decided that the domain and all subdomains should be HTTPS-only long term. If using Cloudflare automation, create a dedicated least-privilege DNS token for only the needed zone, keep it out of shared transcripts and logs, and rotate it if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The skill’s hardened Nginx config sets `Strict-Transport-Security` with `preload` by default, while the safety rules explicitly state preload must not be enabled without explicit user consent. HSTS preload is effectively irreversible in the short term and can permanently force HTTPS across the domain and subdomains, which can break services or recovery workflows if the user is unprepared.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs writing a Cloudflare API token directly to `/etc/letsencrypt/cloudflare.ini` without prominently warning that this is a sensitive secret or recommending least-privilege scoping and careful handling. In a skill context, users may paste high-privilege tokens into shell history, logs, or shared environments, increasing the chance of credential exposure and DNS takeover.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal