ClawHub

run402

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent for Run402 deployments, but it needs Review because it can install an unpinned global CLI, create persistent payment authority, handle admin keys and secrets, and perform paid or destructive cloud actions without consistently requiring confirmation.

Install only if you intend to use Run402 for paid cloud resources. Verify the npm package and version first, start on testnet or with minimal funds, require explicit approval for every paid/mainnet action and deletion, and protect or rotate any wallet files, service keys, project configs, and deployed secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill includes a paid endpoint for sending arbitrary messages to Run402 developers, which is outside the core stated purpose of provisioning, hosting, databases, and image generation. This creates an unnecessary external communication channel that could be abused for data exfiltration, spam, or unintended charges if an agent follows the documentation literally.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to solicit funding from a human and route them to external billing and Stripe flows, which expands behavior beyond the declared operational scope. That introduces social-engineering and payment-risk exposure, especially because the agent is given suggested persuasive scripts and a billing URL tied to a wallet address.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation description is broad enough to match common phrases like building a webapp, deploying a site, creating a database, generating images, or merely mentioning Run402. Over-broad triggering can cause the skill to activate in contexts where the user did not intend external provisioning, payment-backed actions, or persistent resource creation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation presents project deletion commands without any warning, confirmation guidance, or recovery caveat. In a skill that manages persistent infrastructure, an agent could translate this directly into destructive behavior that causes data loss or service interruption.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The storage API examples include object deletion without highlighting that the action is destructive and may permanently remove user data. In agent-oriented documentation, omission of warnings increases the chance an automated workflow performs irreversible deletion without informed consent.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal