ClawHub

SysClaw Reporting

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about its SysClaw reporting role, but it uses broad direct database authority and optional persistent polling that users should review before installing.

Install only if you trust the SysClaw database and have a narrowly scoped agent database role. Require explicit user confirmation before submitting access, deployment, install, restart, or configuration requests. Avoid the cron wrapper unless credentials are stored securely, file permissions are restricted, notification output is acceptable in workspace memory, and there is a clear cleanup path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script directly connects to the SysClaw PostgreSQL database and performs notification reads and state-changing updates instead of using the declared cross-agent communication interface. This bypasses the intended trust boundary, exposes database credentials to the skill runtime, and grants the skill a broader capability surface than its stated purpose, increasing the risk of unauthorized data access or misuse if the script is invoked with arbitrary agent names.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill adds inbox-reading and mark-as-read functionality for arbitrary agent names, which is beyond the stated purpose of reporting issues and requesting resources from SysClaw. In this context, the mismatch is security-relevant because it creates an undeclared capability that could let one agent inspect or acknowledge another agent's notifications if no external authorization control prevents it.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises very broad trigger phrases such as 'install package', 'restart service', 'deploy', and 'check status', which are common administrative intents and can cause the skill to activate in many unrelated contexts. In an agent ecosystem, over-broad routing to a privileged reporting/request channel increases the chance of unintended escalation, submission of sensitive operational requests, or misuse of SysClaw as a proxy for impactful changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell users to place database credentials directly in a script under /usr/local/bin and then schedule it via cron, which creates plaintext secret exposure on disk and a recurring privileged execution path. This can leak credentials through file reads, backups, process/environment inspection, or misconfigured permissions, and the cron job continuously propagates notifications into workspace files without discussing access controls or secret-handling risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal