ClawHub

Java Performance Analyzer

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Java diagnostics skill, but it gives an agent powerful remote access to live servers and JVM memory without enough containment or confirmation.

Install only if you trust the publisher and intend to give the agent controlled access to the target Java server. Prefer SSH keys or a secret manager instead of passwords, do not store SSH passwords in MEMORY.md, bind Arthas to localhost behind an SSH tunnel, verify downloaded binaries, and require explicit approval before heap dumps, watch/trace, profiling, decompilation, or arbitrary Arthas commands on production systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs use of shell commands, SSH, SCP, local scripts, and environment-dependent tooling, yet no explicit permissions boundary is declared. That creates a capability mismatch where an agent may execute impactful local and remote operations without transparent user consent or policy gating.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
Although framed as a performance diagnostic skill, it enables broad remote operational access: arbitrary Arthas commands, decompilation of classes, heap dumps to arbitrary paths, remote installation, and SSH-password-based access. These capabilities can expose source code, secrets, memory contents, and enable unsafe actions on production systems beyond narrowly scoped diagnostics.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `arthas_command` tool forwards arbitrary user-supplied strings directly to the remote Arthas API, creating a generic command-execution surface far broader than the declared diagnostic workflows. In the context of a live JVM attached through Arthas, unrestricted commands can expose sensitive runtime data, alter tracing state, decompile classes, dump data, or trigger intrusive operations without any policy guardrails.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The `heapdump` tool accepts an arbitrary filesystem path and passes it to Arthas, enabling creation of heap dump files at attacker-chosen locations on the target host. Heap dumps often contain credentials, tokens, PII, and application secrets, so arbitrary dump generation is both a sensitive-data exposure risk and a file-write capability beyond narrowly scoped performance inspection.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include broad, everyday requests like '帮我排查 xxx 问题' or '分析下 xxx 性能', which can activate a high-capability remote diagnostics skill unintentionally. Because the skill can connect over SSH and run powerful tooling, accidental invocation materially increases the chance of unnecessary credential collection or remote actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes arbitrary Arthas command execution without any visible warning that the action may run intrusive diagnostics or expose sensitive runtime information. Even if command execution is intended for troubleshooting, the absence of disclosure and consent makes it easy for callers to trigger high-impact operations unknowingly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Heap dump creation is performed without any disclosure that it writes a large sensitive file to disk and may capture secrets from application memory. In a remote-analysis skill, hidden dump generation increases operational and privacy risk because users may not realize they are creating persistent forensic artifacts on production systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `watch_method` tool is designed to capture runtime parameters and return values, which can include passwords, tokens, personal data, and business-sensitive payloads. Because the skill provides this capability without warning, masking, or scope controls, it creates a meaningful risk of unintended secret and privacy exposure during diagnosis.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script requires an SSH password as a positional argument and feeds it to sshpass, which exposes credentials to shell history, process listings, logs, and accidental shoulder-surfing. In a remote-diagnostics skill, this is especially risky because operators may run it against production hosts, making credential theft or reuse more damaging.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script downloads and launches Arthas attached to a live remote JVM, then enables an HTTP API bound to 0.0.0.0 without explicit confirmation or strong safety checks. This is an invasive action on a production process and may expose a powerful diagnostic interface beyond localhost depending on host firewalling, increasing the risk of unauthorized access or operational impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal