ClawHub

Recognize Intent

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its analytics intent-recognition purpose, but it needs review because it can broadly load local secrets and send queries or credentials to configurable external services.

Review before installing. Use only in a trusted BI environment, remove or rotate the embedded token, avoid placing unrelated secrets in the shared skills .env, restrict who can set gemini_api_url, require HTTPS and an approved endpoint, and validate any matched_sql or logic_dsl in a separate SQL safety stage before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly loads a local .env file and reads GEMINI_API_URL, GEMINI_API_KEY, and GEMINI_TOKEN into process.env, then uses them to call an external LLM service. For an intent-recognition skill this is a real sensitive-data exposure concern because it expands the trust boundary to external services and allows hidden credential use without any explicit access control or minimization in this file.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The file uses child_process.spawn to run an embedded Python program via python -c. While this may be for implementation convenience, invoking an external interpreter increases attack surface, complicates sandboxing, and can enable execution of unintended code if the runtime or imported module is tampered with.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code forwards credentials from input or environment into a Python subprocess and ultimately to an external LLM endpoint, while also passing the full inherited environment to the child process. That combination is sensitive behavior and there is no evidence here of user-facing disclosure, consent, or redaction controls, making secret handling and subprocess propagation riskier.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code embeds a long default Gemini token and uses it automatically when GEMINI_TOKEN is unset. Hardcoded secrets are dangerous because they can be extracted from source control or deployed artifacts, then reused to access the upstream service, impersonate the application, or incur unauthorized cost and data exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
User queries are sent verbatim to an external Gemini REST endpoint, and elsewhere the skill also forwards indicator names and semantic content derived from business questions. In a BI context, those queries can contain sensitive commercial data, store names, dates, and internal terminology; exfiltrating them to third-party services without explicit consent, policy gating, or data minimization creates a real confidentiality and compliance risk.

Credential Access

High
Category
Privilege Escalation
Content
const path = require('path');
const fs = require('fs');

// 加载 skills/.env
(function loadDotEnv() {
  const envFile = path.join(__dirname, '..', '.env');
  if (!fs.existsSync(envFile)) return;
Confidence
93% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
// 加载 skills/.env
(function loadDotEnv() {
  const envFile = path.join(__dirname, '..', '.env');
  if (!fs.existsSync(envFile)) return;
  for (const line of fs.readFileSync(envFile, 'utf8').split('\n')) {
    const m = line.match(/^\s*([A-Z_][A-Z0-9_]*)\s*=\s*(.+?)\s*$/);
Confidence
93% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
function execPython(script, stdinData, skillDir) {
  return new Promise((resolve, reject) => {
    const proc = spawn(PYTHON_BIN, ['-c', script, skillDir], {
      env: { ...process.env },
    });

    let stdout = '';
Confidence
95% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal