ClawHub

AuditClaw Gcp

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate read-only GCP compliance collector, but it needs Review because it asks users to create long-lived GCP service account credentials with limited handling guidance.

Review the setup before installing. Prefer keyless or short-lived GCP authentication where possible, restrict the service account to the smallest read-only scope needed, store any JSON key outside the repo with tight file permissions, rotate and monitor it, and revoke it when the scan is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises executable behavior requiring environment variables and shell-style command execution, yet does not declare permissions explicitly. This weakens the trust boundary for users and automation that rely on manifest permissions to understand what a skill can access, increasing the chance of unintended command execution or secret exposure from environment variables.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose materially understates actual behavior: the skill writes to a local SQLite database, updates status/error metadata, invokes an external helper, and exposes extra modes beyond passive evidence checks. This mismatch can cause operators to grant trust or deploy the skill under a read-only assumption when it is capable of local state mutation and broader execution paths.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill frames itself as read-only, but its setup instructions direct users to perform privileged GCP write operations such as creating a service account, changing project IAM policy, and generating credentials. Even if these are 'manual setup' steps, the documentation can mislead users about the real operational risk and normalize privilege changes that expand attack surface.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Stating 'No write/modify permissions' and 'All checks use read-only access only' while later instructing users to create identities, bind roles, and mint keys is internally inconsistent and can cause unsafe operator decisions. In a security/compliance skill, that discrepancy is especially risky because users may trust the documentation without scrutinizing the setup implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup guide instructs users to create a long-lived service account JSON key and place it in the environment without any warning about its sensitivity, storage, rotation, or revocation. Static JSON keys are a common source of cloud compromise; if the file is leaked from disk, shell history, backups, or logs, an attacker can obtain persistent access to the GCP project within the granted roles.

Natural-Language Policy Violations

Low
Confidence
81% confidence
Finding
Recommending a long-lived Service Account JSON key as the primary authentication method increases credential exposure risk because such keys are easy to copy, persist outside managed controls, and are commonly mishandled in repos, CI systems, or local disks. In a compliance-scanning context that enumerates security-sensitive configuration across a GCP project, compromise of the key could grant broad read access to IAM, logging, DNS, KMS, and infrastructure metadata, which materially aids reconnaissance and follow-on attacks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal