ClawHub

Mult Call

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its advertised database-retrieval purpose, but it broadly loads local environment secrets into a Python subprocess, so users should review its scope before installing.

Install only in an environment where the shared skills .env contains least-privilege credentials for this workflow. Keep unrelated API keys, account tokens, and production secrets out of that .env, and review the external Neo4j, Milvus, and embedding endpoints before using it with sensitive business questions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior includes reading environment variables and writing to workflow files. This creates a transparency and consent problem: users and orchestrators cannot accurately assess or constrain what the skill can access or modify, which increases the chance of unintended secret exposure or filesystem side effects.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly reads a parent-directory .env file and injects its contents into process.env, expanding its access to configuration and secrets beyond the documented retrieval behavior. In this wrapper, those values are then available to all downstream code and the spawned Python process, creating unnecessary secret exposure and privilege expansion if the Python module is compromised or overly permissive.

Context-Inappropriate Capability

Medium
Confidence
72% confidence
Finding
The wrapper launches an external Python interpreter, which gives the skill general subprocess execution capability. Although the immediate code uses a fixed inline script rather than user-controlled shell input, spawning another interpreter broadens the attack surface and bypasses tighter in-process controls the platform may expect for a simple retrieval skill.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill states that it writes results into a local workflow file but does not warn the user that running it modifies local state. Hidden file writes can surprise users, overwrite expected data flow artifacts, and be abused in chained workflows where downstream components trust those files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented --clean option says it clears this step and subsequent outputs, but there is no strong warning about the scope of deletion. In workflow-driven environments, such cleanup can cause loss of intermediate artifacts, break auditability, or erase data relied upon by later steps.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sensitive environment values are loaded from .env and implicitly made available to the subprocess without any minimization or disclosure. This matters because the skill's stated purpose is QA/vector/graph retrieval, yet the wrapper silently grants the Python component access to whatever secrets exist in the parent environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends the user's natural-language query to an external embedding provider and then to Milvus for vector search, but there is no consent gate, redaction step, or even runtime notice that potentially sensitive user input leaves the local boundary. In an analytics skill, user queries can easily contain business-sensitive data, identifiers, or secrets, so this is a real privacy/data-handling weakness even if it is not overtly malicious.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal