ClawHub

Telegram-Bot-managerj

Security checks across malware telemetry and agentic risk

Overview

This is a user-started local full-drive file server with real safeguards, but its broad default access and URL-based token handling create review-worthy risk.

Install only if you intentionally need a local file server that can browse and download sensitive files. Set GOD_MODE_ROOT to a narrow dedicated folder instead of C:\, keep GOD_MODE_HOST on 127.0.0.1, use a strong token, do not disable token auth, avoid sharing UI URLs because they may contain the token, and stop the server when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The UI implements arbitrary folder browsing and file download from a configured root, which materially exceeds the declared purpose of managing and hardening storage-serving workflows. In a high-privilege local storage context, this mismatch is dangerous because it can disguise a general file exfiltration interface as an administrative tool, increasing the likelihood of unauthorized access to sensitive files.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code places the authentication token into URL query parameters, causing it to be exposed in browser history, copied links, logs, referrer leakage, and potentially screenshots or shared URLs. Because this interface is for high-privilege storage operations and downloads, leakage of the token could enable unauthorized browsing and file access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly manages a full-drive file server and even documents a default root of `C:\`, but it does not prominently warn users that this can expose the entire local filesystem if misconfigured or if authentication/binding controls fail. In this context, the omission is security-relevant because the capability is inherently high risk and users may underestimate the consequences of enabling it.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The download and list requests transmit the token in the URL without any warning to the user, increasing the chance the credential is inadvertently disclosed through bookmarks, browser history, logs, or shared links. In a file-browsing interface tied to privileged local storage, silent exposure of credentials substantially raises the risk of unauthorized data access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The runbook provides direct examples for reading and downloading sensitive local files from a server rooted at `C:\` without any explicit warning, scope restriction, or safety guidance. In the context of a 'god-mode' high-privilege file server, these examples normalize access to system files and materially increase the risk of unauthorized disclosure of sensitive host data if the service is exposed, misconfigured, or the token is reused.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The server exposes arbitrary file listing, reading, and downloading from a high-privilege root (default C:\) over HTTP, which can disclose highly sensitive local data if the token is obtained, reused, logged, or disabled. The skill context makes this more dangerous because it is explicitly designed to serve high-privilege storage workflows, magnifying the blast radius of any authentication weakness or operational mistake.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal