ClawHub

Dcc Cli Gateway

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill has a coherent purpose, but its setup instructions include running internet-downloaded installers directly, which deserves review before installation.

Review this skill before installing. It is designed to control local DCC applications and may install helper tooling, so only use it if you trust the publisher and the DCC-MCP gateway. Do not let an agent run the vx or CLI installer commands automatically; download installers separately, inspect them, and verify release source and checksums/signatures where available.

SkillSpector (4)

By NVIDIA

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill provides commands to install and execute remote tooling from the internet without an adjacent warning about the risks of running downloaded binaries or scripts. In a shell-capable agent environment, such examples can be copied or automated directly, increasing the chance of executing tampered or unexpected code.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide instructs users to pipe a remotely fetched script directly into a shell or PowerShell without any integrity verification, pinning, or safety warning. In an agent skill context, this is especially dangerous because it can normalize or trigger execution of unreviewed code from the network, enabling arbitrary code execution if the upstream source, transport, or repository is compromised.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Linux / macOS
curl -fsSL https://raw.githubusercontent.com/loonghao/vx/main/install.sh | bash

# Windows PowerShell
powershell -c "irm https://raw.githubusercontent.com/loonghao/vx/main/install.ps1 | iex"
Confidence
96% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/loonghao/vx/main/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Linux / macOS
curl -fsSL https://raw.githubusercontent.com/loonghao/vx/main/install.sh | bash

# Windows PowerShell
powershell -c "irm https://raw.githubusercontent.com/loonghao/vx/main/install.ps1 | iex"
Confidence
99% confidence
Finding
| bash

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal