ClawHub

SAA Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent image-generation skill, but it weakens secure WSS connections and exposes credential and backend-unlock risks that users should review before installing.

Install only if you trust the SAA backend and network path. Prefer local or private-network use, avoid passing real passwords on the command line, redact credentials from transcripts and logs, and allow --skeleton-key only after confirming no other generation is active.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Earlier guidance explicitly says not to retry when the backend is busy, but the later error-handling section says to consider one retry with --verbose on failure. This contradiction can lead an agent to retry exactly in the scenario that was supposed to avoid retries, potentially worsening backend congestion or breaking user expectations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill exposes a `skeleton_key` capability explicitly described as unlocking backend atomic lock state, which is a privileged control unrelated to ordinary image generation. In an agent context, this broadens the tool from content generation into backend state manipulation and can bypass concurrency/safety controls, potentially disrupting other jobs or enabling unauthorized operations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CLI flag `--skeleton-key` gives end users or upstream agents direct access to a force-unlock backend control that exceeds the stated purpose of generating images. In multi-user or automated environments, such a flag can be abused to interfere with backend locking semantics, causing denial of service, race conditions, or bypass of intended operational safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to execute commands by default without asking for confirmation, even though the commands may include credentials, network destinations, and filesystem writes. This reduces user visibility into sensitive operations and increases the chance of unintended credential exposure, unintended output creation, or misuse of the backend.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
TLS certificate verification is explicitly disabled for both HTTPS login and WSS connections, which makes the client trust any certificate, including attacker-controlled ones. This enables man-in-the-middle interception of credentials, session tokens, prompts, and returned image data, especially dangerous because the tool supports remote authenticated connections.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example command includes username and password in a displayed command line, and the default reporting guidance tells the agent to echo prompts and other potentially sensitive user-supplied content back in plain language. Displaying secrets in commands or logs can leak credentials to transcripts, shell history, monitoring systems, or other observers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal