ClawHub

文件下载服务器

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it can expose a local folder over the network and automatically change firewall rules without a separate consent gate.

Install only if you intentionally want an unauthenticated temporary HTTP download server. Use a dedicated folder containing only files meant for sharing, prefer localhost unless external access is required, avoid untrusted filenames/descriptions, stop any daemon process after use, and manually remove any firewall rule it opened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 尝试开放防火墙端口
    try:
        result = subprocess.run(
            ["iptables", "-I", "INPUT", "-p", "tcp", "--dport", str(args.port), "-j", "ACCEPT"],
            capture_output=True,
            text=True
Confidence
96% confidence
Finding
result = subprocess.run( ["iptables", "-I", "INPUT", "-p", "tcp", "--dport", str(args.port), "-j", "ACCEPT"], capture_output=True, text=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and demonstrates shell execution, file reads, and file writes, but declares no permissions or capability boundaries. That mismatch is dangerous because an agent may invoke the skill without appropriate user awareness or policy checks, while the documented behavior can expose local files over HTTP and modify firewall state.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script interpolates user-controlled values such as title, description, and file names directly into HTML and attribute contexts without escaping. If a file name or CLI-supplied text contains HTML or JavaScript payloads, the generated download page can execute script in a visitor's browser, which is especially relevant because this skill is designed to publish pages for other users to open over HTTP.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill alters host firewall policy via iptables, which is a privileged system-administration action beyond the expected scope of a temporary download server. In this skill context, that makes the behavior more dangerous because the tool is intended for convenience file sharing, yet it silently changes network exposure and may leave the system reachable from untrusted networks.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match normal requests like 'send file' or 'file download', causing the skill to activate in situations where the user may not expect a network service to be created or a firewall port to be opened. In this skill's context, accidental activation is more dangerous because the action exposes filesystem content over the network, not just a harmless local transformation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill prominently presents one-command startup but does not clearly warn, up front, that the server binds to 0.0.0.0 by default and makes the chosen directory reachable over the network. This omission materially increases the risk of unintentionally exposing sensitive files, especially since the skill also automates firewall opening and is aimed at quick ad hoc sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quickstart explicitly instructs users to bind an HTTP file server to 0.0.0.0 and open a firewall port with iptables, but provides no warning that this exposes the selected directory to any reachable network client. In the context of a file-sharing skill, this behavior is expected functionality, but omitting privacy, authentication, and scope warnings materially increases the chance of accidental data exposure or unintended public access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script opens a firewall port without prior confirmation or a clear warning about the security consequences, which violates the principle of explicit user consent for security-sensitive operations. Combined with the default bind address of 0.0.0.0, this can unintentionally publish local files to external networks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal