ClawHub

cz-studio-agent

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real Studio Agent bridge, but it defaults to approving remote action confirmations and can expose a reusable ClickZetta token in configuration output.

Install only if you trust the publisher and the Studio endpoint. Before use, set CZ_INTERRUPT_DECISION_MODE to auto_reject or off unless you intentionally want remote interrupt requests approved automatically. Treat CZ_AGENT_WS_URL as a secret because it contains x-clickzetta-token, avoid sharing logs or chat output that include it, and rotate the token if it has already been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The proxy defaults to CZ_INTERRUPT_DECISION_MODE=auto_approve and later converts interrupt_request messages into interrupt_decision approvals automatically. In a bridge component, this means a remote agent can obtain tool/action execution approval without an explicit local user confirmation step, which materially expands the trust boundary and can enable unauthorized actions through downstream tools.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly states that interrupt requests are auto-approved by default, removing a human confirmation checkpoint for remote actions. In a bridge to a remote agent that can create tasks, run queries, or invoke tools, this can allow sensitive or irreversible actions to proceed without the user's informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The proxy silently auto-approves interrupt/tool requests without an explicit warning to the user, masking a significant change from passive transport to active authorization. Because the remote agent can trigger interrupts that are then approved automatically, the lack of disclosure increases the likelihood of unsafe tool execution under false operator assumptions.

Ssd 3

Medium
Confidence
98% confidence
Finding
Auto-sending `interrupt_decision` for `interrupt_request` bypasses a safety interlock intended to pause execution pending approval. Because this skill is a protocol bridge to a remote Studio Agent, the bypass can authorize remote actions without review, especially dangerous if the remote side requests approval for tool use, task creation, or state-changing operations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal