Bomb Dog Sniff

Security checks across malware telemetry and agentic risk

Overview

This security scanner has a coherent defensive purpose, but it ships runnable malware-like test samples and a high-impact installer, so it should be reviewed before normal installation.

Install only after review. Prefer removing or converting the bundled malicious test fixtures into inert data before normal use, and run safe-install in an isolated environment because it downloads code and can modify existing installed skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (26)

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The code executes `npx clawhub@latest download ...`, which causes network-fetched code to be resolved and run at install time. In a tool whose purpose is to safely quarantine and scan untrusted skills, invoking a mutable external package before completion of the trust decision expands the attack surface and can permit compromise through a malicious or hijacked package, dependency, or lifecycle script.

Description-Behavior Mismatch

Critical

Confidence: 99% confidence
Finding: This file implements overtly malicious capabilities including wallet targeting, credential theft, exfiltration, reverse shell behavior, encoded payload execution, download-and-execute, scam messaging, and keylogging. That directly contradicts the declared purpose of a defensive pre-installation scanner, making the mismatch highly suspicious and dangerous in context.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The code attempts to access Ethereum wallet data, environment secrets, and local config, then transmit them to attacker-controlled endpoints. These are classic theft and exfiltration behaviors with no legitimate role in a skill advertised as a safety scanner.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The script launches a bash reverse shell, opens a socket-backed shell, and executes remote content piped into bash. These behaviors provide remote code execution and persistence opportunities for an attacker and are unjustifiable for a defensive scanner.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The code registers a keydown listener, inspects password fields, and posts captured information to an external webhook. This is keylogging and surveillance behavior, which can expose credentials and sensitive user activity.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The comment claims the script is only for scanner validation, but the implementation contains operational malicious techniques rather than inert test fixtures or simulated strings. Deceptive labeling increases risk because it may be intended to bypass reviewer suspicion.

Description-Behavior Mismatch

Critical

Confidence: 100% confidence
Finding: The file is overtly inconsistent with the declared purpose of a defensive skill: it contains wallet theft, secret harvesting, reverse shells, keylogging, scam prompts, exfiltration, and persistence. In the context of a skill manager, this is especially dangerous because it would run with user trust and potentially broad local/browser access.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: The code launches classic reverse shells and remote command channels via bash, netcat, and Python. That gives an attacker interactive remote control of the host, which is wholly unjustified for a malware-scanning skill and can lead to full system compromise.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The function reads local configuration and harvests environment secrets such as API keys, tokens, and passwords. For a pre-installation scanner, collecting such material is unnecessary and creates immediate risk of credential theft and account compromise.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: The class captures keystrokes and password field contents, then provides a method to transmit them off-host. This is classic spyware behavior and is far beyond any legitimate need of a skill that claims to scan other skills before installation.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code displays a fraudulent payment request and alters copied wallet addresses in the clipboard path. This directly facilitates financial theft and social engineering, and has no defensive scanning justification.

Context-Inappropriate Capability

Critical

Confidence: 100% confidence
Finding: Appending remote-execution commands to shell startup files and installing cron beacons establishes persistence on the host. Persistence ensures repeated attacker access after the initial execution and materially raises the severity from one-time abuse to durable compromise.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The header explicitly states the file contains intentional malicious patterns, which directly contradicts the defensive skill description. While a comment alone is not an exploit, in this context it is a strong integrity red flag that the package includes known-malicious content disguised as a security tool.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation describes a workflow that downloads, deletes, moves, backs up, and installs skills, including replacing existing installations, but does not prominently warn users that local files will be modified. For a security-oriented tool, understated destructive side effects can mislead operators into running it against important paths or installed skills without understanding the mutation risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: When `autoInstall` is enabled, an existing skill can be replaced automatically, and with `backup=false` it may be deleted outright, without an explicit confirmation prompt. In a security-sensitive skill manager, silent overwrite of active skill content increases the risk of accidental replacement, downgrade, or persistence of a malicious skill under a trusted name.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The script reads secrets from environment variables and local config, then exfiltrates data without any disclosure or consent. Lack of warning is not the main problem here; the underlying behavior is unauthorized secret theft.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Subprocess execution and interactive remote shell behavior occur silently, enabling attacker control of the host. In the context of a scanner skill, this is especially dangerous because users may trust it with elevated access during installation workflows.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Downloading a script from a remote source and piping it directly into bash is an unsafe remote-code-execution pattern. No disclosure or confirmation is present, and the behavior can immediately compromise the system.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The code accesses wallet-related data and transmits private material to an attacker-controlled endpoint without any disclosure or consent. In a trusted security skill, silent collection of wallet keys is especially dangerous because users may assume the tool is protecting them while it steals assets.

Missing User Warnings

High

Confidence: 100% confidence
Finding: Subprocess-based reverse shell execution is performed covertly and without user confirmation. Hidden execution of remote control channels enables immediate takeover of the host and violates any reasonable user expectation for a scanning utility.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill reads credential-bearing files and environment variables without notifying the user. Covert access to secrets is dangerous because it enables impersonation, data theft, and lateral movement while bypassing user awareness.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code decodes and executes base64 payloads using eval and the Function constructor without warning. Dynamic execution hides behavior from review and can be used to stage additional malicious actions or evade static detection.

Missing User Warnings

Critical

Confidence: 100% confidence
Finding: Keystroke capture, password capture, and remote transmission occur without any user-facing disclosure. This is direct credential surveillance and can lead to account takeover, financial theft, and privacy violations across any sites the user interacts with.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The function sends arbitrary data to external destinations including DNS-style endpoints, a Discord webhook, and an ngrok tunnel with no disclosure. Multiple covert channels increase the likelihood of successful data theft and make detection/containment harder.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The code downloads and executes remote shell scripts using curl|bash and wget|sh without user warning. This is a textbook remote code execution pattern that allows attackers to change behavior at any time by updating the hosted scripts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal