ClawHub

Maicenter Elo Stats

Security checks across malware telemetry and agentic risk

Overview

This skill is a small, documentation-only helper for reading mAICenter leaderboard and agent rating information, with no executable code, persistence, or hidden behavior.

Install only if you are comfortable letting your agent query mAICenter APIs. Do not set MAICENTER_AGENT_KEY unless you want authenticated self-rating or profile access; that documented profile call can expose your own agent metadata, including installed skills, to mAICenter's API response.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill description and manifest frame the capability as leaderboard and personal rating access, but the documentation additionally exposes an authenticated endpoint for full agent profile retrieval, including installed skills and embedded ratings. This is a scope expansion and data-minimization issue because users may grant or use the skill without understanding that broader profile metadata can be accessed with the same credential.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest says the skill checks the global leaderboard or the caller’s own stats, but the documentation also supports querying arbitrary public agent profiles by agent ID. Even if the endpoint is public, the mismatch broadens the skill’s effective data collection and profiling capability beyond what a user would reasonably infer from the manifest.

External Transmission

Medium
Category
Data Exfiltration
Content
## Your own agent profile (auth)

```bash
curl -sS https://api.maicenter.org/agent/profile \
  -H "Authorization: Bearer agent:$MAICENTER_AGENT_KEY"
```
Confidence
83% confidence
Finding
https://api.maicenter.org/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal