ClawHub

Owncloud Sync

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised OwnCloud/Google Drive comparison, but it ships hard-coded accounts, live-looking credentials, and report-email behavior that could expose private file metadata.

Review before installing or running. Remove all shipped credentials and personal addresses, rotate any exposed OwnCloud passwords, replace the recipient/account values with your own local configuration, inspect the external allfiles service before installing it, and only enable email reports if you are comfortable sending filenames, sync status, and endpoint details to that mailbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd):
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)
        return result.stdout.strip()
    except subprocess.CalledProcessError as e:
        print(f'Error running command: {cmd}', file=sys.stderr)
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script sends a generated report by email to a hard-coded external recipient, but there is no visible user disclosure, consent flow, or policy guardrail. In this skill context, the report contains filenames and sync status information, so the outbound email capability creates a real exfiltration channel for potentially sensitive metadata.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The code persists the full XML search body to disk, which includes searched filenames and query structure, while the comment frames it merely as logging. This creates unnecessary retention of potentially sensitive file metadata and may mislead reviewers about the scope of data being stored.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script hardcodes a real-looking email address into an exported environment variable, which exposes what appears to be personal account information and can cause tools or tests to run against a specific user account unintentionally. In a reusable agent skill, embedding account identifiers is risky because it can leak PII, couple behavior to one person's account, and encourage unsafe testing practices against live services.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill is an open-ended instruction to generate and run a synchronization/reporting script with no trigger constraints, approval gates, or scope limitations. In an agent setting, this can lead to autonomous handling of sensitive files, credentials, and outbound email actions in contexts the user did not explicitly authorize, increasing the risk of unintended data access or exfiltration.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill hard-codes a specific email/account identity (denis.etienne@gmail.com) for both GOG_ACCOUNT and EMAIL_RECIPIENT, causing the generated workflow to operate under and report to a fixed third-party identity without user opt-in. In context, the script compares cloud storage contents and emails a report, so hard-coded identity values materially increase the chance of unauthorized access attempts, privacy violations, and unintended disclosure of file metadata.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script uses OwnCloud credentials to perform network searches without any user-facing disclosure or interactive confirmation. Even if this is part of the intended automation, the lack of transparency and hard-coded operational behavior makes unauthorized or unexpected access more dangerous in an agent skill setting.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes request data containing searched filenames to a persistent report file without clear disclosure. Because the filenames originate from cloud storage contents, this can expose sensitive business or personal metadata locally to other users, backups, or later exfiltration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script emails the sync report externally without explicit disclosure or approval. In context, the report lists filenames that are missing or outdated and can reveal sensitive project names, document titles, or storage structure, making this a meaningful privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script emails a report containing file inventory and synchronization status to a hard-coded external address, which can expose sensitive filenames, storage endpoints, and operational metadata. In this context, the danger is increased because the script aggregates data from both Google Drive and OwnCloud, potentially leaking business or personal document names and system details outside the storage boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends Basic Auth credentials in a network request and also enables verbose curl logging with stderr redirected to /tmp/curl-debug.log. In many curl builds, verbose output can expose authentication details or other sensitive request metadata, and storing that in a world-accessible temporary path increases the chance of credential disclosure to local users or through log collection.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Exporting a specific email address without clear prompting or validation can silently direct subsequent commands, API calls, or tests toward a real account. While this is not code execution by itself, the skill context makes it more dangerous because environment variables are commonly consumed implicitly by other scripts, increasing the chance of accidental account targeting or privacy leakage.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script embeds a live username/password directly in the command line and uses them to make authenticated requests to a remote ownCloud/WebDAV endpoint. Hardcoded credentials in a skill are highly dangerous because they enable unauthorized access, leak through source control, logs, process listings, and reuse by anyone who obtains the file; the recursive SEARCH request against a Documents path also increases sensitivity because it appears to enumerate potentially private files.

External Transmission

Medium
Category
Data Exfiltration
Content
# curl --silent -u 'TesLaMent963:V02&nCd5BwC7' 'https://qemu.ovh/ocs/v1.php/cloud/capabilities?format=json'

# Lister le contenu de "Documents" (profondeur 1)
# curl -u 'TesLaMent963:V02&nCd5BwC7'\
Confidence
98% confidence
Finding
curl --silent -u 'TesLaMent963:V02&nCd5BwC7' 'https://qemu.ovh/ocs/v1.php/cloud/capabilities?format=json' # Lister le contenu de "Documents" (profondeur 1) # curl -u 'TesLaMent963:V02&nCd5BwC7'\ #

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal