ClawHub

Security Audit Tools

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate security-audit helper, but it overstates its coverage and can fetch, clone, execute, and persist audit material in ways that need review before use.

Install only if you want an advisory audit assistant and will treat its results as partial. Run helper scripts in an isolated temporary workspace with no secrets, do not rely on LOW RISK as installation approval, and manually review non-JS files, manifests, workflows, installers, dependencies, and any dynamic execution step before trusting the result.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions while instructing use of environment access, filesystem reads/writes, and network operations. That mismatch weakens governance and user/operator awareness, increasing the chance that a broadly triggered skill performs sensitive actions without appropriate review or sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill presents itself as a comprehensive pre-install security gate, but the documented workflow only partially covers that promise and omits multiple artifact types and threat classes. This can create dangerous false assurance: users may rely on it to approve installations it is not actually equipped to assess.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims review should occur before any download or installation, yet its workflow repeatedly directs downloading packages, tarballs, and repositories as part of the audit. For a pre-install guard, that contradiction expands exposure to untrusted content and undermines the stated safety boundary.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workflow recommends dynamic execution of downloaded code in Docker and `require('package')`, which is in tension with its role as a non-executing inspection gate. Even with some isolation, executing attacker-controlled code can trigger malicious runtime behavior, escape attempts, or local data access if the environment is misconfigured.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script claims to audit packages safely, but it immediately performs network retrievals with `npm pack` and `git clone`, which contradicts a pre-download inspection guarantee. In the context of a security-guardian skill, this is dangerous because users may rely on it as a safe gate before any remote content is fetched, while it actually pulls attacker-controlled artifacts onto disk and expands the attack surface.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The step is presented as merely checking whether a GitHub repository exists, but it actually clones the repository contents to disk. This misleading behavior weakens user trust and can cause unintended retrieval of untrusted remote code in a tool that is supposed to be protective and inspection-oriented.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The scanner only inspects a narrow set of JavaScript/TypeScript files and a small set of regex patterns, while the skill description claims broader install-guardian coverage across packages, repos, shell installers, and GitHub Actions. This mismatch can cause dangerous false negatives, leading users to trust an incomplete review and install unvetted code.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script emits a definitive 'LOW RISK - Safe to install' result even though the module docstring says it is only a quick scan and not a deep review. In a security-gating skill, authoritative safety claims from a shallow scanner can directly induce unsafe installations by creating false confidence.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The module documentation explicitly states the tool is a non-deep scan, yet the program later makes binary install decisions. This contradiction is dangerous because users may rely on the output as a security assurance despite the tool's admitted limitations, especially in an installation-guard context where missed threats matter.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The README instructs users to run audit commands that fetch NPM metadata, download packages, clone repositories, and create local audit directories, but it does not explicitly warn that these steps will perform external network access and modify the local filesystem. In a security-audit skill, omission of these side effects can mislead users into running potentially sensitive operations in trusted environments without appropriate isolation or consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The auto-invocation scope is extremely broad and can trigger on common install-related language without clear exclusions. In a security-sensitive skill with network and file capabilities, over-triggering increases the chance of unnecessary access, noisy behavior, or user confusion around when security checks are actually authoritative.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The keyword-trigger list is ambiguous and lacks scope constraints, so the skill may activate in contexts that merely mention installation terms rather than requesting an audit. Because the skill is framed as a mandatory gate, this ambiguity can distort workflow and cause users to overtrust or be interrupted by irrelevant checks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script downloads package tarballs and clones repositories with only progress messages, not an explicit warning or consent boundary. In a skill meant to inspect third-party packages safely before installation, silent remote retrieval is especially risky because it normalizes handling untrusted content without making the trust transition obvious to the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal