ClawHub

Nexus Sentinel

Security checks across malware telemetry and agentic risk

Overview

This SRE automation skill is mostly coherent, but it asks for broad server control, file access, backups, and external notifications without tight enough limits.

Install only if you intend to let this skill help administer a host. Before use, restrict it to specific services and backup paths, require confirmation for cleanup, restarts, and backups, use least-privilege Maton credentials, and avoid sending unredacted logs or configuration data to external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'payload' from os.getenv (line 43, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# We use Maton API for secure relay
    payload = {"to": target, "message": f"[NEXUS] {message}"}
    try:
        requests.post(f"{API_GATEWAY}/whatsapp/send", json=payload, headers={"Authorization": f"Bearer {api_key}"}, timeout=10)
    except:
        pass
Confidence
93% confidence
Finding
requests.post(f"{API_GATEWAY}/whatsapp/send", json=payload, headers={"Authorization": f"Bearer {api_key}"}, timeout=10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The manifest requests a MATON_API_KEY even though the described functionality is SRE monitoring, log rotation, and service recovery. That mismatch suggests unnecessary secret access and violates least-privilege, creating a path for unrelated external API use or secret exfiltration if the skill is compromised or behaves unexpectedly.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The backup function claims to protect sensitive files, but it only blocks paths containing a few substrings. An attacker can still provide arbitrary paths to non-matching sensitive files, use alternate naming, or reference confidential data outside intended directories, enabling unintended file access and possible later exfiltration once upload logic is implemented.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function silently uses a bearer credential from the environment to send messages to an external service, and failures are suppressed. In an agent skill context, hidden outbound communication with credentials is risky because users may not realize operational or potentially sensitive data can leave the host.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal