ClawHub

CLAW Agent 智控驾驶舱

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate operations dashboard, but it exposes unauthenticated controls that can change scheduled-task state and write local files.

Install only if you intend to run a local operations dashboard and can keep it private. Bind it to localhost or a trusted network, add authentication before using mutation endpoints, review any pending cron changes before applying them, and enable the recurring cron writer only with clear opt-in and a known data path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The cron update endpoint accepts unauthenticated POST requests from any origin and writes attacker-controlled change data to disk as pending cron modifications. In the context of an operations dashboard, exposing write-capable management functionality without authentication or authorization can enable unauthorized task reconfiguration, persistence, or follow-on command execution if another component later applies those pending changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The POST handlers mutate quota and cron state on disk immediately, with no authentication, CSRF protection, confirmation, or user verification. Because the server also sets permissive CORS headers and listens on 0.0.0.0, a remote or browser-based attacker may be able to submit unauthorized state changes that affect monitoring accuracy or downstream automation behavior.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This endpoint persists arbitrary requested cron changes to disk without any access control or provenance checks. Even if changes are only marked pending, storing attacker-supplied job modifications in an operations environment creates a dangerous staging point for unauthorized scheduled-task changes and may lead to privilege abuse when another workflow consumes the file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly recommends a silent background cron that writes to {workspace}/agent-data.json without warning users that files will be modified automatically. In an agent environment, unattended file writes can overwrite user-managed state, create misleading telemetry, or normalize hidden persistence behavior, especially because the task runs repeatedly and silently.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal