ClawHub

File Sender

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to send files, but it gives an agent broad authority to find, decrypt, delete, and transmit sensitive local files through chat with weak safeguards.

Install only if you intentionally want an agent to send local files and credentials through chat. Before use, require exact file path and recipient confirmation every time, avoid sending private keys or passwords through chat, and add stronger identity checks, allowlists, and safer credential handling before trusting it on a real machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill claims to be a file sender, but the documentation expands it into a credential vault workflow that accepts, encrypts, stores, lists, decrypts, and transmits secrets. This scope expansion materially increases attack surface because a user phrase intended to share a normal file could activate logic capable of handling and disclosing highly sensitive credentials.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation presents search and delivery as read-only, but later instructs the agent to download, encrypt, move, and delete files. This inconsistency can mislead reviewers and users about the actual side effects, increasing the risk of unsafe deployment and mistaken trust in the skill's behavior.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The text says credentials are decrypted to memory only, but the security model later describes writing plaintext to /dev/shm or a temporary directory before sending. That contradiction is security-relevant because it understates plaintext exposure windows and can lead operators to believe secrets never touch the filesystem when they actually do.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module documentation claims receive() avoids plaintext touching disk, but the implementation explicitly reads an existing plaintext file from disk and only then encrypts it. This discrepancy can mislead operators into handling credentials under false assumptions, increasing the chance of unsafe workflows and exposure through backups, forensic recovery, or other local access.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The docstring states temp/plaintext material is secure-deleted after use, but the encrypt command removes the original plaintext with os.remove(), leaving recoverability risk on some filesystems and storage media. For a credential manager, overstating deletion guarantees is security-relevant because users may rely on those guarantees when handling secrets.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad and overlap with everyday conversation such as 'share file' or 'I need that document,' making accidental or adversarial invocation more likely. In a skill that can search the local filesystem and send files to external chat services, overbroad activation materially increases the chance of unintended data disclosure.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description does not clearly warn users that it can transmit local files, including potentially sensitive ones, to third-party chat platforms. Missing a prominent user-facing warning undermines informed consent and makes accidental exfiltration more likely, especially given the broad triggers and external channels supported.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions to decrypt and send credentials omit a strong user-facing warning that secrets are being transmitted over chat infrastructure. Because credentials, IDs, keys, and financial documents are especially sensitive, failing to foreground that risk makes misuse and accidental disclosure significantly more dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function decrypts credential files and transmits the plaintext to an external chat channel with no in-function confirmation, destination allowlisting, or explicit disclosure that secrets are leaving the machine. In the context of an agent skill designed to send local files, this is especially dangerous because a prompt or automation mistake could exfiltrate credentials to an attacker-controlled target.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script is explicitly designed to send arbitrary local files to external messaging platforms and states that it does not block files, relying on external behavioral controls instead. In an agent skill context, that makes exfiltration risk materially higher because sensitive local files can be copied into the workspace and transmitted without any in-script confirmation, allowlist, or sensitivity screening.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly authorizes sending any sensitive local file—IDs, certificates, keys, and credentials—once the requester is treated as Marco, and discourages refusals or warnings. Combined with chat-based identity assumptions and broad triggers, this creates a direct exfiltration pathway for the most sensitive files on the system.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs the agent to decrypt stored credentials and send them via chat, turning a credential store into an automated secret exfiltration mechanism. Even if intended for convenience, exposing decrypted secrets through conversational workflows dramatically lowers the barrier to compromise from prompt injection, account takeover, misrouting, or mistaken identity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal