Mithilesh

Security checks across malware telemetry and agentic risk

Overview

This governance skill is mostly purpose-aligned, but it quietly adds Redis-based throttling and a Civic verification message that are not disclosed clearly enough for a security control.

Review before installing. This is not artifact-backed malware, but do not rely on it as a guaranteed enforcement layer unless your environment forces all write actions through it. Clarify or remove Redis usage, treat the Civic message as unimplemented, and avoid putting secrets or sensitive personal data in action justifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior presents ClawGuard as a universal pre-write enforcement layer, but the finding indicates hidden behavior and gaps: undisclosed Redis/throttling and identity checks, plus the fact that enforcement is optional because callers may simply skip invoking the tool. This is dangerous because users may rely on the skill as a security control when it is neither fully disclosed nor capable of guaranteed enforcement, enabling bypass of governance checks and creating blind spots in audit/compliance expectations.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill metadata presents the system as a SQLite-based audit ledger, but the implementation also introduces Redis as an external dependency that affects governance decisions through throttling. This creates hidden behavior and a capability gap between the declared trust model and actual runtime behavior, which can mislead operators and weaken security review and deployment assumptions.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This code requires network access to Redis for a control-path decision even though the stated purpose is a local SQLite-based governance layer. Adding undeclared external connectivity expands the attack surface, introduces dependency on remote availability/integrity, and may permit governance bypass when Redis is unreachable because the code fails open by returning false from the velocity check.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The manifest claims actions with risk_level >= 4 are blocked automatically, but the implementation treats risk_level >= 5 differently by returning NEEDS_CIVIC rather than a straight block. This policy mismatch is dangerous because downstream systems may rely on the documented guarantee and incorrectly assume critical-risk actions cannot proceed through any alternate path.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The tool stores free-form justifications in SQLite, and these fields may contain sensitive operational details, user data, secrets, or internal reasoning about intended actions. Persistent retention without minimization, consent, or disclosure creates a confidentiality and privacy risk, especially in a governance tool that is likely to receive sensitive action context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The audit report API returns stored ledger entries, including prior justifications, without any visible access control or warning about retained data exposure. In a shared or multi-tenant environment, this can leak historical sensitive submissions and operational intent to callers who should not see them.

VirusTotal

43/43 vendors flagged this skill as clean.

View on VirusTotal