ClawHub

Nexus Cli

Security checks across malware telemetry and agentic risk

Overview

This media-server admin skill is mostly coherent, but it needs review because it can collect local API keys, change Docker services and media-stack configuration, delete download data, and delegate fixes to external AI tools.

Install only if you are comfortable giving this skill administrative control over your media stack and Docker environment. Review its config and commands before agent use, avoid auto/fix modes unless you intend changes, restrict API keys, check file permissions on ~/.config/admirarr/config.yaml and compose .env files, and do not use it on shared WSL hosts where other users' Windows profiles may be accessible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (43)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises capabilities that imply shell, network, environment, and file-write access but does not declare permissions or boundaries. In a skill that can restart services, modify indexers, run setup/migration flows, and invoke agent-assisted fixes, this lack of explicit permission scoping creates a real risk of silent high-impact actions against the host and media stack.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill documentation explicitly forbids deleting user files or media, yet it exposes `admirarr downloads remove <hash> [--delete-files]`, which can delete files when the flag is used. This creates a policy/behavior mismatch that can cause an agent or operator to perform destructive actions under the false assumption that the skill never deletes user data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The command promises to report health warnings, but for Radarr, Sonarr, and Prowlarr it treats API errors or empty responses as "Healthy". This can mask real outages, authentication failures, or degraded service states, causing operators to trust a false-green health report and delay investigation of production issues.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The command advertises that it will detect running services and harvest API keys before generating output, which is credential collection behavior. Even if intended for migration convenience, automatically discovering and extracting secrets from live services increases the chance of unauthorized credential access, accidental disclosure into generated files, logs, or broader skill state, especially because this behavior is not reflected in the higher-level skill description.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This client exposes unrestricted pass-through Get/GetJSON/Post/Put/Delete methods that allow callers to hit arbitrary service endpoints, bypassing the safety boundaries implied by the typed media-management wrapper. In an agent skill context, that expands the action surface from specific approved operations to effectively full API access on Radarr/Sonarr/Prowlarr, enabling unintended configuration changes, data access, or destructive actions if an upstream prompt or tool invocation is manipulated.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The client includes administrative capabilities for Prowlarr indexers and download clients, including create, update, and delete-style configuration changes, which materially exceed a simple status/monitoring interface. In this skill context, those functions can rewire indexer sources or download backends and alter how the media stack behaves, making prompt-induced misuse or overbroad agent authority more dangerous.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code enumerates Windows user profiles under /mnt/c/Users and probes multiple qBittorrent.ini locations, then later reads whichever file exists. This expands access beyond the active media-server configuration into other local users' application data, which is unnecessary for normal media-server management and can expose sensitive host filesystem information in WSL or mixed-host deployments.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code delegates unresolved issues to external AI agent CLIs and, for Claude, explicitly enables Bash tooling. That gives an LLM the ability to execute arbitrary shell commands on the host using a prompt constructed from runtime state, which materially expands capability beyond simple media-server diagnosis and creates a command-execution pathway with only a generic confirmation prompt.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
Although Claude-specific variables are stripped, the child process still inherits the rest of the parent environment unchanged. External AI agent CLIs commonly read API keys, tokens, cloud credentials, SSH-related variables, and service secrets from the environment, so spawning them with broad inherited env creates an unnecessary secret-exposure channel.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This file implements automatic credential discovery by reading API keys from local config files and by executing `docker exec ... cat` inside containers. For a media-server management skill, silently harvesting secrets from the host and containers exceeds the minimum needed behavior and creates a powerful credential-access primitive that could be abused to later control multiple services without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The WSL path logic enumerates `/mnt/c/Users` and searches multiple Windows user profiles for service configuration files, including accounts unrelated to the current operator. Cross-account secret discovery materially increases the blast radius because the skill can collect API keys from other users on the same machine, not just the invoking user's media stack.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The migration collects API keys from installed services and aggregates them into a result structure, increasing the blast radius of any later logging, serialization, crash dump, or accidental exposure. In a media-server management skill, harvesting secrets from multiple services is especially sensitive because the skill already has broad local access and may centralize credentials the user did not intend to export.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code will automatically complete the Jellyfin startup wizard, create an admin user, and mint an API key if it detects an uninitialized server. That is a privileged, state-changing takeover path against any reachable Jellyfin instance and it can happen in auto mode without an explicit confirmation gate, so a mis-targeted host or exposed service could be silently claimed by this tool.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function claims to report service health accurately, but for Radarr/Sonarr/Prowlarr it treats both an error from the health API and an empty response as "Healthy". This can mask outages, authentication failures, or degraded service states, causing operators or downstream automation to trust a false-safe status and delay detection or remediation of real problems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises `doctor --fix` performing automatic repairs such as restarting containers and creating directories, but it does not prominently warn that these actions modify the host environment. In an agent-operated context, this is risky because an LLM or user may invoke the command expecting diagnostics only, leading to unintended service disruption or filesystem changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup section states that the tool will deploy services, wire integrations, and write configuration, but it does not clearly foreground that running setup changes system state. For an agent skill intended for automation, lack of explicit caution increases the chance of unintended deployment, service creation, or configuration drift on the user's machine.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation text is broad enough to trigger on generic media, downloads, movies, TV, or streaming questions, which can cause the skill to run in situations where the user did not intend host-level management actions. Because this skill includes operational and destructive commands, overbroad routing increases the chance of unintended access to local services and administrative workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The command list includes clearly destructive or configuration-changing actions such as restarting services, removing downloads, syncing indexers, setup, migration, and doctor --fix, but the documentation does not warn about side effects or require confirmation. In this operational context, an agent could translate a casual request into service disruption, data loss, or unwanted configuration drift.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The config section states that service URLs and API keys are stored and may be auto-discovered from Docker containers, but it provides no warning about credential access, storage sensitivity, or exposure risks. In a skill designed for agent integration and diagnostics, this materially increases the danger of secrets being collected, logged, or used beyond the user's expectation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The `indexers remove` command performs an immediate destructive delete of a Prowlarr indexer once a name matches, with no confirmation prompt, dry-run, or force flag separation. In an agent skill that manages a live media-server stack, a mistaken invocation, ambiguous user request, or unsafe automation path could remove production configuration and disrupt downloads/searching.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The JSON status output includes `r.RequestedBy.DisplayName`, which exposes requester identities to anyone allowed to invoke or consume the `status` command output. In a media-server context this can leak personal information about household members or users into logs, automations, chat transcripts, or other downstream systems that were only expected to receive operational status data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer downloads an archive from the network and then unconditionally removes any existing target binary before replacing it. This is dangerous because users are not given an explicit confirmation prompt, backup, checksum/signature verification, or rollback path, so a compromised release or unexpected version could silently replace a trusted executable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The health-check logic places API keys directly into query strings for services such as SABnzbd, Tautulli, and generic *Arr services. Query parameters are commonly exposed in reverse-proxy access logs, browser/history tooling, monitoring systems, and error traces, so a leaked key could allow unauthorized control of the user's media-management services. In this skill context, those services can add content, manage downloads, and restart components, which makes credential leakage more consequential than a simple read-only status check.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function scans every non-system Windows profile directory and constructs paths into AppData locations without any user-facing notice or consent. In the context of an agent skill, this is dangerous because it silently inspects sensitive per-user filesystem locations unrelated to the immediate request and could reveal information about other accounts on the machine.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt sent to the external agent includes filesystem paths, service inventory, ports, container names, and issue descriptions, and the process also receives inherited environment variables. The user is asked only whether to run the fix, not whether they consent to disclosure of local system context and possible secrets to a third-party AI tool, so sensitive operational data may be exposed without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal