ClawHub

swagger-skill

Security checks across malware telemetry and agentic risk

Overview

This Swagger helper mostly does what it claims, but it automatically installs npm packages on import and can make authenticated, state-changing API calls or upload local files without strong safeguards.

Install only if you are comfortable with automatic npm package installation and real API execution. Use trusted Swagger hosts, prefer test or least-privilege credentials, review the matched endpoint and HTTP method before calls, and only pass file paths you explicitly intend to upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill performs runtime dependency installation by invoking npm init and npm install through execSync. That behavior introduces arbitrary code-execution risk through package lifecycle scripts, mutates the local environment unexpectedly, and exceeds the stated purpose of a Swagger query/call utility. In an agent setting, hidden package installation is especially dangerous because it can change system state and pull untrusted code from the network without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The upload helper accepts an arbitrary filesystem path string and opens it with fs.createReadStream, enabling the skill to read local files and transmit them to remote endpoints. While file upload can be functional for some APIs, unrestricted local file access materially expands the capability of the skill beyond simple Swagger inspection and can expose sensitive host data if the path is influenced by untrusted input.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports natural-language matching followed by direct API execution, but the documentation does not warn that ambiguous prompts may trigger state-changing endpoints against live systems. In an agent context, this increases the risk of unintended writes, deletions, or administrative actions because users may treat it as a read-only query assistant.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages passing tokens and cookies directly into the skill without warning about credential sensitivity, transport security, logging exposure, or reuse against untrusted Swagger URLs. In a tool that fetches remote specs and invokes APIs, mishandling these secrets can lead to credential leakage or misuse across systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code silently launches subprocesses to run npm init and npm install without user-facing disclosure or consent. Beyond transparency concerns, this creates a meaningful security issue because subprocess execution plus package installation can alter the environment and execute third-party install scripts, making the behavior much more dangerous in an automated agent context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal