ClawHub

Situation Monitor

Security checks across malware telemetry and agentic risk

Overview

This monitoring skill is mostly a real triage tool, but it bundles live infrastructure access and a demo script that can alter or delete a Kubernetes cluster with weak safeguards.

Install only after review. Use fixture mode or a disposable demo cluster by default, provide least-privilege read-only Kubernetes credentials for live scans, avoid private Discord channels unless users have approved ingestion, and do not run 02-incidents.sh against real infrastructure, especially the destroy command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script is framed as an incident demo/trigger utility, but it also exposes a destructive cloud control-plane action that deletes the entire GKE cluster. Mixing routine demo operations with irreversible infrastructure destruction increases the chance of accidental invocation, misuse by an agent, or abuse by anyone with access to the script.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This skill is described as monitoring/triage, yet the script directly mutates live Kubernetes workloads, resets state, and can delete infrastructure. In an agentic context, giving a monitoring skill write/destructive primitives broadens the blast radius from observation to outage creation, making accidental or prompt-induced harmful actions much more dangerous.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README explicitly promotes use of a script that can inject failures into a live GKE cluster, which exceeds a monitoring skill's stated triage purpose and increases the chance operators will run disruptive actions in production-like environments. Even if framed as a demo, documenting failure induction inside the skill bundle normalizes potentially destructive behavior and could cause service disruption or data loss if misused.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The README broadens the skill from reporting and triage into live Kubernetes cluster scanning, which materially increases its operational reach and access to sensitive infrastructure data. In a hosted agent context, this scope expansion can surprise deployers and create unintended access to cluster state that is not obvious from a simple monitoring description.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The documentation instructs users to run npm install and execute node main.js at a local absolute path, which introduces software build and execution behavior beyond the core monitoring workflow. This expands the attack surface to dependency installation and arbitrary code execution from the repository root, increasing supply-chain and unintended-execution risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The cluster deletion command uses a hardcoded target and --quiet, so it bypasses any interactive safeguard before destroying the environment. If triggered accidentally, by automation, or through agent misuse, it can cause full loss of service and potentially permanent destruction of the demo or production-like cluster.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reset action silently overwrites learned-patterns.md, deleting accumulated incident knowledge without confirmation or backup. In this skill's context, that file influences future agent behavior, so silent resets can erase operational context, degrade incident handling, and hide prior learned patterns during demos or real use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to collect and summarize Discord message content from live channels without a clear privacy notice, consent model, or data-handling warning. This can lead to unauthorized processing of private or sensitive communications, especially in workplace Discord servers where message content may include credentials, incident details, or personal data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This function sends the raw query text to a third-party Contextual API whenever credentials are configured, and there is no filtering, minimization, or consent mechanism in this code path. In this skill's context, queries may contain sensitive Discord incident details, operational runbook context, or Kubernetes outage information, so outbound transmission to an external service creates a real confidentiality and privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When `settings.friendli_token` is present, the code sends an overview seed derived from Discord channel activity to `FriendliRefiner.rewrite_overview(...)`. That seed includes channel names, summaries of recent messages, and action items, so operational incident details may be transmitted to an external model provider without any visible consent gate, redaction, or disclosure in this file.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reply-drafting path sends `item.channel`, `item.summary`, and `item.action_items` to `FriendliRefiner.draft_reply(...)` whenever a token is configured. In this skill's context, those fields can contain sensitive operational, incident-response, or internal discussion data from Discord and Kubernetes triage, so undisclosed third-party transmission creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The method sends operational summary content to an external LLM provider, which can expose sensitive incident details, internal infrastructure context, or regulated data if the input is not sanitized or user-approved. In this skill context, summaries are derived from Discord and Kubernetes incidents, making third-party transmission materially risky because the content may include confidential operational information during active incidents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function transmits channel names, summaries, and action items to an external model API, which can leak internal communications metadata and incident response details outside the organization boundary. Because the skill is specifically designed to triage Discord activity and operational incidents, the context increases sensitivity: outbound drafting may expose privileged discussions, response plans, or service-impact information to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code sends incident content and actor-supplied input to the external Apify service via `client.actor(...).call(run_input=run_input)` and then retrieves data back from Apify. Because incident and environment-derived operational data may include sensitive outage details, service names, URLs, or internal context, forwarding it to a third party without clear consent, minimization, or trust-boundary checks creates a real data-exposure risk.

Ssd 3

Medium
Confidence
77% confidence
Finding
The skill is designed to ingest and summarize Discord traffic, which inherently risks exposing sensitive user-generated content in generated reports or drafts. Even with guardrails favoring fixture mode and public sources, the live Discord workflow can still collect private, confidential, or unnecessary data if channel scope and retention are not tightly controlled.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal