Back to skill

Security audit

Exec Tool

Security checks across malware telemetry and agentic risk

Overview

This skill is a command runner that claims to restrict execution, but its code can run unintended shell commands after a weak prefix check.

Review carefully before installing. Do not connect this skill to chat bots, agents, CI/CD, or a production VPS unless it is sandboxed and restricted. A safer version should accept structured parameters, allow only specific clawhub subcommands and flags, execute without a shell, and require confirmation for actions that mutate local, account, or deployment state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return "Command not allowed"

    try:
        result = subprocess.getoutput(command)
        return result[:4000]  # Telegram limit safe
    except Exception as e:
        return str(e)
Confidence
98% confidence
Finding
result = subprocess.getoutput(command)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring and comment claim the command execution is 'safe' and 'VERY IMPORTANT', but the implementation only checks whether the input begins with 'clawhub' before invoking a shell. This mismatch creates a false sense of security and can cause reviewers or downstream developers to trust a dangerous interface that is actually vulnerable to shell injection and arbitrary command execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.