ClawHub

Workspace Casual Lucas

Security checks across malware telemetry and agentic risk

Overview

This skill openly offers workspace automation, but it exposes unrestricted local command execution and arbitrary file reading through broad WhatsApp triggers without clear safety controls.

Review carefully before installing. Use this only if you intentionally want WhatsApp-accessible local shell command execution and file reading, and only after adding strict command allowlists, workspace-only path checks, sender authorization, and explicit confirmation for risky operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill exposes direct shell execution via execSync(command) with no validation, restriction, or sandboxing. In an agent skill that otherwise appears to provide workspace/file utilities, this grants arbitrary OS command execution, enabling full host compromise, data theft, destructive actions, and lateral movement.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly exposes a generic `run_command` capability that allows arbitrary shell command execution, which is far broader than its stated purpose of providing a casual interface for workspace commands. In an agent context, this enables execution of destructive, exfiltrating, or persistence-establishing commands on the host system, especially because the skill also references a real local workspace path and provides no visible restrictions or allowlist.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly advertises the ability to run commands and read files in the user's workspace, but it provides no warning, restriction, confirmation flow, or scope limitation for potentially dangerous actions. In an agent setting, a casual natural-language interface to command execution and file access can enable unintended destructive commands, exposure of sensitive local data, or misuse through prompt injection or ambiguous user requests.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code executes arbitrary shell commands immediately and synchronously without any warning, confirmation, or safety interlock. This makes accidental or prompt-injected execution far more likely and removes an important defense against destructive or sensitive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes shell execution without any user-facing warning, disclosure, or indication of the risks, which increases the chance that users or upstream agents invoke it without understanding that arbitrary OS-level commands may run. In practice, this reduces informed consent and makes accidental misuse, privilege abuse, or social-engineering-driven execution more likely.

Vague Triggers

High
Confidence
98% confidence
Finding
The trigger pattern `(?i).*run command (.*)` is extremely broad and maps directly to a `run_command` action using attacker-controlled input from WhatsApp. This creates a natural-language path to arbitrary command execution, making accidental invocation or deliberate abuse highly likely if any untrusted user can send messages to the channel.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The `(?i).*open file (.*)` trigger is broad and captures arbitrary file arguments from a messaging channel without visible path constraints or confirmation. This can be invoked by ordinary phrasing and may expose sensitive files or enable path traversal depending on how `open_file` resolves the provided path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal