ClawHub

开悟吧

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed activation helper, but it lets a remote API automatically install additional skills and supply agent-facing instructions without clear per-action approval.

Review carefully before installing. Use this only if you trust kaiwu8 and its configured API endpoint to decide which extra ClawHub skills may be installed. Prefer manually reviewing each required skill before installation, protect and revoke the API key if needed, and treat printed what/why/how instructions as untrusted suggestions until approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for attempt in range(retries):
        try:
            result = subprocess.run(
                ["clawhub", "install", slug],
                capture_output=True,
                text=True,
Confidence
88% confidence
Finding
result = subprocess.run( ["clawhub", "install", slug], capture_output=True, text=True, timeout=60, cwd=str(O

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises behavior that runs a local script, contacts a remote API, auto-activates features, and downloads missing skills, yet no permissions are declared. This creates a dangerous trust gap: users and the platform are not clearly informed that the skill can access the network, shell, environment, and local files, increasing the chance of unauthorized actions and remote code introduction.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The declared purpose is feature management/activation, but the implementation also installs additional skills from ClawHub. This hidden expansion of capability increases risk because a user invoking an activation workflow may not reasonably expect it to fetch and install new software based on server responses.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executing an external CLI to install software is a powerful operation not justified by a simple activation action. Because the install target comes from remote data, the script effectively delegates package installation authority to the server without local policy enforcement or user approval.

Intent-Code Divergence

Medium
Confidence
74% confidence
Finding
The documentation is inconsistent about whether Step 6 merely returns instructions or causes the agent to execute changes to `agents.md`. In a security-sensitive workflow, this mismatch is dangerous because it obscures the real trust boundary and may normalize later agent-driven modification based on remote instructions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states that unactivated functions are automatically activated and missing skills are downloaded from ClawHub, but the description does not warn users that these actions happen automatically. Auto-installation and activation materially increase risk because they can change the local environment and introduce additional code without an informed approval step.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration requires a user API key and the process checks purchased features via a remote endpoint, but there is no privacy warning explaining that credentials and related account data will be sent off-device. This can expose sensitive identifiers, purchase metadata, and account linkage to remote systems without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script installs missing skills automatically without a clear warning or confirmation at the moment of action. In this context, silent installation materially increases risk because the skill is triggered by a simple phrase and can change the local environment based on remote instructions.

Ssd 4

High
Confidence
96% confidence
Finding
The design explicitly says the server returns `what/why/how` and that the agent understands and executes it, including precise modifications to `agents.md`. This creates a direct path for untrusted remote natural-language content to steer downstream agent behavior and potentially induce unsafe file or system changes.

Ssd 4

High
Confidence
95% confidence
Finding
The code surfaces remote `what/why/how` content as actionable guidance, and the surrounding documentation indicates an agent may execute based on that guidance. Even if this script only prints today, it establishes an indirect prompt-injection channel where the server can influence privileged agent decisions or operator actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal