ClawHub

Cardnews

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it can publish to Instagram and install a Python package at runtime without clear approval or scoping.

Review this skill before installing. Only use it if you are comfortable with an agent generating Instagram content, converting local image files, possibly installing Pillow from Python package indexes, and using a logged-in browser session. Do not allow upload until you have checked every slide, the caption, and the target Instagram account, and have explicitly approved the final post.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
from PIL import Image
except ImportError:
    import subprocess
    subprocess.check_call([sys.executable, "-m", "pip", "install", "Pillow", "-q"])
    from PIL import Image
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "Pillow", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes shell commands for image generation and file conversion but declares no permissions, creating a capability gap between what reviewers/users expect and what the skill can actually do. Hidden or undeclared execution capability increases the risk of command execution, environment misuse, or unsafe file handling if prompts, filenames, or paths become attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
A PNG-to-JPG conversion utility should not need to modify the host environment by installing Python packages during execution. In the context of an agent skill, this is more dangerous because the script may run non-interactively on user or automation systems, leading to unexpected dependency changes, supply-chain exposure, and code execution from external repositories without explicit consent.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger language is broad enough to activate on generic requests for slide-based visual content, which can cause the skill to run in contexts the user did not specifically intend. Over-broad activation increases the chance of unexpected shell usage, external tool invocation, and social-media-related actions being proposed or prepared without sufficiently explicit user consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal