ClawHub

AuditClaw GRC

Security checks across malware telemetry and agentic risk

Overview

The skill’s GRC functionality is coherent, but it needs review because it asks for high-value cloud and identity credentials through chat and can run companion integration scripts.

Review before installing in any real environment. Use least-privilege read-only cloud roles, do not paste service-account JSON, client secrets, or API tokens into chat, prefer local environment variables or a secret manager, verify any auditclaw companion skills before connection tests, and only run scans against systems you own or are authorized to assess.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"status": "error", "message": f"Evidence script not found: {script_path}"}

    try:
        result = subprocess.run(
            ["python3", script_path, "--test-connection"],
            capture_output=True, text=True, timeout=30
        )
Confidence
96% confidence
Finding
result = subprocess.run( ["python3", script_path, "--test-connection"], capture_output=True, text=True, timeout=30 )

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
A script presented as a unified database query interface also performs credential storage and retrieval for external providers. Expanding scope this way concentrates sensitive secrets in a broadly featured CLI entrypoint, increasing the chance of accidental exposure, misuse by other actions, and unsafe operator expectations. In this skill context, credential handling is especially sensitive because the same system orchestrates cloud and identity-provider integrations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The test-connection action locates and executes external companion scripts from installed skill directories. That means the security of this action depends on the integrity of separate packages and local filesystem state; a malicious or replaced companion script yields arbitrary code execution under the current user's context. Because this skill also manages credentials and compliance data, compromise could expose secrets, evidence, and local environment data.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation triggers include many generic enterprise terms such as 'audit', 'risks', 'controls', 'framework', and 'security scan', making accidental invocation likely during ordinary conversation. Over-broad activation can cause the skill to activate in unintended contexts and prompt or perform sensitive operations involving local databases, reports, scans, or cloud integration workflows. Because this skill can touch compliance data and credentials, mistaken routing is more dangerous than for a read-only informational skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The credential storage flow accepts secret material through a generic description field, which is misleading and unsafe. Users or calling agents may log, echo, or repurpose description data assuming it is non-sensitive, causing accidental disclosure of cloud credentials or API tokens. In this skill's context, that could expose access to AWS, GitHub, Azure, GCP, or identity providers.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The connection-test path silently launches external provider scripts without an explicit disclosure at the action boundary. Even if the called script is legitimate, this violates least surprise and can trigger network access, credential use, or local code execution when a user may think they are only querying status. The lack of transparency makes risky behavior easier to hide or misuse.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill exposes a broadly defined, user-invocable scanning workflow without clear constraints on permitted targets, authorization checks, or safety boundaries. That can enable misuse as a generic external scanning interface against arbitrary URLs, creating SSRF-like behavior, unauthorized probing of third-party systems, or policy/legal risk if the agent performs scans on assets the user does not control.

Ssd 3

High
Confidence
95% confidence
Finding
The setup guide instructs users to send raw cloud credentials and secret values through conversation. Conversational channels are often logged, retained, or visible to operators and other tools, so encouraging secret transmission this way creates a high risk of credential exposure and downstream cloud compromise.

Ssd 3

Critical
Confidence
99% confidence
Finding
The GCP setup guide explicitly asks the user to send full service-account JSON key contents. A service-account key is a high-value long-lived credential; if exposed in chat logs or model context, it can grant persistent programmatic access to cloud resources. In a compliance tool, this is especially dangerous because the requested key likely has broad read access across security-relevant services.

Ssd 3

High
Confidence
97% confidence
Finding
The identity-provider setup flow asks for sensitive setup material including API tokens and admin-linked details through conversation. These secrets can enable broad access to user directories, factors, policies, and audit data, and chat-based collection increases exposure through logs and model retention pathways.

Ssd 3

High
Confidence
98% confidence
Finding
Repurposing a general description field to carry secret data is an unsafe design that almost guarantees mishandling. Description fields are commonly displayed, audited, searched, exported, or reused in summaries; storing secrets there can leak credentials to logs, reports, operators, or other actions. Given this script's broad reporting/export features, exposure risk is amplified.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
return parse_cert(domain, cert, cipher, protocol), None

    except ssl.SSLCertVerificationError as e:
        # Try again without verification to get cert details
        context_no_verify = ssl.create_default_context()
        context_no_verify.check_hostname = False
        context_no_verify.verify_mode = ssl.CERT_NONE
Confidence
90% confidence
Finding
without verification

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal