Homebrew Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it creates SSH wrappers so a Linux gateway can run selected Homebrew tools on a trusted Mac.

Install this only if you intentionally want a Linux OpenClaw gateway to run selected Homebrew tools on a trusted Mac over SSH. Use explicit tool and host mappings, avoid wrapping shells or broad privileged CLIs, prefer a least-privilege Mac account or SSH key, and remove the wrapper files when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation directs the agent to read local configuration files and execute shell scripts, but it declares no corresponding permissions. This creates a mismatch between advertised and actual capabilities, which can cause the skill to run with broader implicit access than reviewers or policy enforcement expect. In this context, the skill also sets up SSH-based wrappers to a remote Mac and can influence command execution paths, making undeclared file-read and shell access more sensitive than a purely local utility skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal