ClawHub

Clash VPN

Security checks across malware telemetry and agentic risk

Overview

This skill does manage Clash VPN as advertised, but its default guidance can expose powerful proxy, DNS, and controller services to the network without enough warning or scoping.

Install only if you intend to let the agent manage a system-level Clash instance. Before using the template, change controller and DNS listeners to localhost, disable LAN access unless you need it, add controller authentication or firewall rules for any remote access, and review any supplied proxy configuration before letting it overwrite the root Clash config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the use of shell commands and a local script to manage a VPN service, yet no permissions are declared. This creates a transparency and governance gap: an agent may be induced to execute system-level actions without explicit capability scoping or user awareness.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The template sets `external-controller: 0.0.0.0:9090`, exposing Clash's management API on all network interfaces. If the API is reachable from untrusted networks and not additionally protected, attackers could reconfigure the proxy, inspect state, or disrupt traffic; in a VPN/proxy-management skill this is especially risky because the service is explicitly intended to run persistently on a host with network access.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The guide configures DNS to listen on `0.0.0.0:53`, which makes the DNS service accessible on all interfaces. This unnecessarily broad exposure can allow unintended LAN use, information leakage, abuse as an open resolver within reachable networks, or a larger attack surface than needed for a local proxy client setup.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill provides direct instructions to overwrite `/root/.config/clash/config.yaml`, a privileged system configuration path, without an explicit warning, privilege boundary explanation, or confirmation step. If followed blindly, this could replace trusted network routing settings, disrupt connectivity, or install attacker-controlled proxy endpoints that intercept user traffic.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document recommends exposing both the management controller and DNS service on all interfaces without explaining the security consequences. Even if such settings are occasionally needed, presenting them as a default template for general users increases the likelihood of unsafe deployments, especially in a skill whose purpose is to help users quickly configure and operate a proxy service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal