ClawHub

Understand-Anything

Security checks across malware telemetry and agentic risk

Overview

This skill is a codebase-analysis tool that reads project files, runs local helper scripts, and saves a knowledge graph, with no evidence of deception or data exfiltration.

Install only if you are comfortable with a skill that reads your project source, runs generated local analysis scripts, and writes `.understand-anything/knowledge-graph.json`. For private code, review or ignore the `.understand-anything/` directory before sharing the repository, and avoid running it on untrusted repos without containment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The prompt explicitly instructs a subagent to write and execute a Node.js script as part of normal analysis. That expands the skill from passive architecture understanding into active code execution, which is risky because the generated script operates on attacker-controlled input data and creates an execution primitive not clearly required by the skill description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt prescribes shell commands that create files in /tmp and repeatedly execute a generated script with retries. This introduces an unnecessary shell workflow and multiple opportunities for misuse, especially if file nodes, import edges, or surrounding prompt content can influence generated code or command behavior.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The prompt instructs the agent to write results into the project workspace under .understand-anything/intermediate/layers.json. Even though this appears operationally useful, it grants file modification capability inside the target repository, which can overwrite files, create persistence artifacts, or interact badly with symlinks and repository hooks if not tightly constrained.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The prompt explicitly instructs a subagent to write and execute a script against repository files, which grants active code-execution capability inside a skill whose stated purpose is code understanding. Even if intended for deterministic extraction, this expands the attack surface to arbitrary command execution, makes prompt-injection in analyzed content more dangerous, and can lead to unintended filesystem access or execution side effects.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The prompt authorizes shell command execution and temp-file creation in /tmp, including writing input files and running node against a generated script. In context, this is dangerous because shell-based workflows can be abused for command execution, path manipulation, or data leakage, especially when the skill may process adversarial repository content and run concurrently.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs a subagent to generate and execute a Node.js script against an input graph file. Allowing prompt-driven code execution materially expands the skill from analysis into arbitrary program execution, which can be abused if graph content, file paths, or downstream prompt context are attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The prompt directs the agent to invoke an external `node` subprocess and retry after diagnosing failures, creating an autonomous execution-and-repair loop. This increases risk by enabling repeated code execution, potentially amplifying harmful behavior or allowing the agent to adapt around safeguards when handling malicious inputs or environments.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The reviewer prompt instructs the agent to write intermediate and final artifacts to `/tmp` and the project workspace. Unnecessary file-write capability can overwrite files, leak sensitive analysis outputs into shared locations, or be chained with path manipulation to affect unintended files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs a subagent to write and execute a script, which expands the skill from passive repository analysis into active code execution on the host. Even though the stated goal is inventory generation, allowing arbitrary script generation/execution creates unnecessary execution risk and could be abused if repository contents or downstream prompts influence the script.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt instructs the agent to create directories and write results back into the target project tree, causing side effects in the user's repository. This can modify working state, interfere with tooling or commits, and violates the expectation that an analysis skill should be read-only unless the user explicitly consents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The prompt explicitly instructs the agent to write and execute a Node.js script plus shell redirection commands based on prompt-supplied graph data. In a codebase-understanding skill, this grants unnecessary code-execution capability and creates an execution path where adversarial repository content or prompt-injected data could influence file creation, command behavior, or resource consumption.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The prompt directs writing output into the target project directory, causing the skill to modify the workspace despite being framed as an understanding/analysis capability. In untrusted repositories, this can overwrite files, pollute the tree, interfere with developer workflows, or be combined with symlink/path manipulation to write to unintended locations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly reads README and package manifest contents and appends them to multiple subagent prompts, which transmits repository content beyond the immediate session boundary without any consent, redaction, or warning. In a codebase-analysis skill, those files can contain internal architecture notes, private package sources, tokens, environment conventions, or other sensitive metadata, so this creates a real data-exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill gathers a directory tree, detects entry points, and later passes full file inventories and path lists to subagents without clearly informing the user that repository structure metadata will be disclosed. Even when file contents are not fully included, filenames and layout often reveal products, internal services, customers, security components, and technology choices, which is sensitive in many private repositories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt tells the agent to write results back into the project workspace, which modifies repository contents despite the skill being framed as understanding/analysis. This can create unwanted diffs, overwrite files, interfere with builds or tooling, and gives an attacker a primitive for persistence or tampering if repository content can influence what gets written.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt tells the agent to write to `/tmp` and the project workspace without user-facing disclosure or consent. Hidden side effects reduce operator awareness and can lead to unexpected data exposure, workspace modification, or trust boundary violations in environments where prompts are assumed to be read-only.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs writing a scan result file into the project directory without prominent user-facing disclosure or consent. Hidden write behavior is dangerous because users may assume the skill is observational, while it actually alters repository state and may expose sensitive structural metadata in a persisted file.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt tells the agent to execute a locally written script and retry after diagnosis, but does not clearly warn the user that code will be generated and run on the local system. This is especially risky because model-authored code execution materially increases the attack surface and could lead to unintended command execution, data exposure, or environment changes.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The prompt tells the agent to write generated output to a project file without any user-facing disclosure that the workspace will be modified. Even if the content is benign, silent writes violate least surprise and can create trust and integrity issues for a read-oriented analysis skill.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The prompt instructs creating temporary files and executing a Node.js script without disclosing those actions to the user. Hidden file creation and process execution are risky in an analysis skill because they expand the skill's side effects and make it harder for users to assess what the agent is doing on their system.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal