ClawHub

Security

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed safety-check CLI that sends the instruction being checked to a Modeio backend and shows no hidden persistence, destructive behavior, or credential collection.

Install this only if you are comfortable sending instruction text, operation context, and target identifiers to the configured Modeio safety backend. Do not include secrets or credentials in those fields, verify SAFETY_API_URL in shared environments, install dependencies from trusted sources, and ensure your caller treats network/API failures or blocking responses as stop conditions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no explicit permissions even though its documented behavior depends on shell execution, environment-variable use, and outbound network access to a backend safety API. This creates a capability/permission mismatch that can mislead operators or policy engines about what the skill can do, increasing the chance of unintended execution in environments that would otherwise require review or sandboxing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI sends the provided instruction, and optionally context and target, to a remote backend for analysis, but the code presents no explicit disclosure or consent at the transmission point. Because this skill is specifically meant to analyze potentially sensitive operational instructions before execution, users may unknowingly transmit secrets, internal paths, URLs, service names, or compliance-relevant data to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal