ClawHub
Back to skill

Security audit

Init Workspace

Security checks across malware telemetry and agentic risk

Overview

The skill matches its workspace-management purpose, but it needs review because it uses a powerful Gitea admin token and ships a plain-HTTP external Gitea URL as the default configuration.

Install only if you operate the target Gitea server and can provide a least-privilege admin or bot token. Before use, replace the bundled GITEA_URL with your own trusted HTTPS endpoint, pin and review dependencies, and understand that the skill will create private repositories, grant collaborators, and maintain persistent team and chat-binding state in AIFusionBot/system-config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to use environment-derived configuration such as GITEA_URL and to invoke local scripts that manage repositories, permissions, and system control data, implying network and environment access. When those capabilities are not explicitly declared, operators and policy systems cannot accurately review or constrain what the skill can do, increasing the risk of over-privileged execution and unsafe repository or permission changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest description says only that the skill initializes personal and team knowledge workspaces, but the surrounding metadata and provided skill description indicate broader capabilities including team creation, project space creation, Gitea repository permission changes, and maintenance of a control repository. This understatement can mislead reviewers and operators about the true privilege and attack surface of the skill, increasing the chance that a high-impact administrative skill is approved or invoked without appropriate scrutiny.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
_load_env()

GITEA_URL = os.environ.get("GITEA_URL", "").rstrip("/")
ADMIN_TOKEN = os.environ.get("GITEA_ADMIN_TOKEN", "")
BOT_USERNAME = os.environ.get("GITEA_BOT_USERNAME", "AIFusionBot")
Confidence
70% confidence
Finding
os.environ.get("GITEA_ADMIN_TOKEN

Credential Access

High
Category
Privilege Escalation
Content
except ImportError:
        return
    here = Path(__file__).resolve().parent
    for candidate in (here / ".env", here.parent / ".env"):
        if candidate.exists():
            load_dotenv(candidate)
            return
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
except ImportError:
        return
    here = Path(__file__).resolve().parent
    for candidate in (here / ".env", here.parent / ".env"):
        if candidate.exists():
            load_dotenv(candidate)
            return
Confidence
60% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
#!/usr/bin/env bash
set -e
python3 -m pip install -r requirements.txt
if [ ! -f .env ]; then cp env-example.txt .env; fi
echo "setup complete"
Confidence
60% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
92% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
70% confidence
Finding
python-dotenv

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal