ClawHub

Ex-Coder

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for a powerful coding CLI, but it normalizes broad agent access and several under-scoped examples that users should review carefully before installing.

Install only if you intentionally want a powerful coding-agent workflow. Use read-only or plan mode first, keep MCP filesystem roots scoped to the project, do not expose the HTTP API beyond localhost without strong controls, review snapshot reverts before running them, avoid broad or permanent shell-profile changes unless you approve them, and verify the external npm packages before giving them API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill states a hard safety rule that Excoder must only be run through sub-agents, but the rest of the document contains multiple examples that execute it directly. This contradiction can cause implementers to choose the unsafe pattern, leading to context leakage, unintended tool execution in the main agent, and bypass of the isolation the skill itself says is required.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This section explicitly says to always use sub-agents, yet earlier code samples invoke Bash directly in the current context. In agent skills, contradictory operational instructions are dangerous because downstream agents may follow the executable example instead of the prose policy, defeating intended isolation controls.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The snapshot/revert commands modify repository state and can discard local work, but the documentation presents them as routine commands without a visible warning about destructive effects. Users or agents may invoke revert or cleanup automatically and lose uncommitted changes or historical state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The memory purge command deletes stored memory/cache data, but the skill does not warn that this may remove persistent context or operational state. In an agent setting, undocumented deletion primitives can be triggered casually and cause loss of state, auditability, or task continuity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes an HTTP API that can return session info, turns, configuration, and accept messages, but it lacks a strong warning about network exposure, authentication, and sensitive conversation data leakage. If enabled insecurely, it creates a remote-control and data-exfiltration surface over agent sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The MCP examples include a GitHub token and a filesystem server pointed at broad paths, but do not warn about credential handling or the risk of granting models expansive file and repository access. This can enable accidental secret exposure, repository modification, or overbroad tool access beyond the intended scope.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill suggests appending environment configuration to shell startup files to persist preferences, but does not warn that this changes the user's permanent environment and may affect future sessions. While not inherently malicious, silent persistence is risky in an automation context because it modifies user state beyond the immediate task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal