ClawHub

Agent Registry

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local agent registry with an automatic prompt-search hook and opt-in telemetry, but I did not find hidden exfiltration or purpose-mismatched behavior.

Install only if you want a persistent hook that locally checks every prompt against your agent registry. Review the indexed agents because their instructions can be loaded into future sessions, avoid --move unless you want source agent files relocated, and leave telemetry unset or set DO_NOT_TRACK/AGENT_REGISTRY_NO_TELEMETRY if you do not want opt-in usage metrics sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes a command hook (`bun ${CLAUDE_PLUGIN_ROOT}/hooks/user_prompt_search.js`) and its documented behavior includes shell execution, environment variable use, and possible networked functionality, yet no permissions are declared. This creates a transparency and governance gap: users and the host system cannot accurately assess or constrain what the skill may access, increasing the risk of unintended prompt inspection, command execution, or data egress.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a lazy-loading registry, but the described and analyzed behavior extends far beyond discovery: automatic prompt hooks, migration of agent files, optional destructive moves, installation into skill directories, and telemetry to a remote service. This mismatch is dangerous because users may trust and enable a seemingly narrow utility while it performs broader file-system, execution, and potential exfiltration actions that materially change the security posture.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This module sends outbound requests to a third-party telemetry endpoint, which is not necessary for the core agent-discovery function described by the skill. Even though telemetry is opt-in and appears intended for usage analytics, introducing network egress from a local agent-loading skill expands the trust boundary and can leak operational metadata such as platform, runtime, event names, and any caller-supplied fields.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The header comment claims that no search queries or personal information are collected, but the track() function appends every key/value from caller-supplied data into the outbound request. That means any upstream code can accidentally or intentionally send sensitive content such as search terms, agent names, file paths, prompts, or other identifiers, making the privacy claim misleading and creating a clear data exfiltration risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README describes a hook that analyzes every user prompt and injects matching results into context automatically, but it does not give a strong user-facing warning or consent flow around that processing. In a security-sensitive assistant environment, silent prompt interception and augmentation can expose sensitive prompt contents to additional code paths and create unexpected behavior, especially because the hook runs on every prompt and 'fails silently' reduces visibility.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation criteria are extremely broad ('may benefit from specialized agent expertise', 'starting complex workflows'), and the skill also declares itself 'MANDATORY' and says Claude 'MUST use this skill'. In context, that increases the chance the skill will run on many ordinary prompts, causing unnecessary prompt interception and expanding the reach of any hidden or over-privileged behavior such as hooks, search, or context injection.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script emits telemetry whenever an agent is retrieved, but there is no visible disclosure, consent flow, or indication of what data may be transmitted. In an agent-discovery skill that may load sensitive or specialized agents, metadata such as which agent was requested, token estimates, and usage patterns can reveal user workflows, project focus, or security-related activity, creating a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script emits telemetry during initialization via `track("init", ...)` but this file shows no user-facing notice, consent prompt, or opt-out before data collection. In an agent discovery/registry skill, initialization may run on developer workstations and reveal usage metadata such as agent counts and token totals, creating a privacy and trust issue even if the payload is limited.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script emits telemetry for every search event, including result count, score, latency, and output format, without any visible notice, consent flow, or opt-out in this file. In an agent-discovery skill, search queries may reveal sensitive user intent or project context, so undisclosed tracking creates a privacy and data-governance risk even if the payload is limited.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal