ClawHub
Back to skill

Security audit

Kb Query

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real knowledge-base lookup skill, but it needs review because it uses a Gitea admin token for read-only repository access without enforcing its own repository allowlist.

Install only if the Java backend tightly controls kbTargets and the Gitea credential is replaced with a read-only token scoped to the intended KB repositories. Confirm repository allowlisting, HTTPS configuration, and pinned dependencies before using it with private or business-sensitive knowledge bases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares no explicit permissions, yet its instructions and execution entrypoint imply capabilities to read local files and potentially access networked KB repositories. This creates a permission-transparency gap: operators and policy layers may not realize the skill can access sensitive repository content or external resources, increasing the risk of unintended data exposure or policy bypass.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file implements direct Gitea repository access, including repository tree enumeration and file content retrieval, which is inconsistent with the stated purpose of simple Java-backed personal/team KB lookup. That mismatch increases the chance the skill can access broader repository data than users expect, enabling unintended data exposure or use of the skill as a general code/document retriever rather than a narrowly scoped KB query tool.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code uses a GITEA_ADMIN_TOKEN for operations that appear to be read-only. Embedding administrative credentials into a lookup skill violates least privilege and creates a severe blast radius: if the token is misused, leaked, or the skill is repurposed, an attacker could gain broad control over Gitea resources well beyond the KB content.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script accepts owner, repo, and path directly from arguments and passes them to Gitea without any restriction to approved KB repositories. That gives the skill a broader data-access capability than its stated purpose, enabling retrieval of arbitrary repository content if the caller can influence inputs or invoke the tool outside its intended wrapper.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
For a skill advertised as simple KB lookup, direct arbitrary Gitea reads are an over-broad primitive that can be repurposed for general repository browsing and data exfiltration. The danger is increased by the mismatch between documented scope and actual capability, because downstream systems or reviewers may assume tighter confinement than exists.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill sends a sensitive authorization token and retrieves repository data over the network without any visible user disclosure or trust-boundary warning. In a desktop assistant context, this can lead to users unknowingly causing privileged repository access and data transmission to a remote service, especially dangerous given the administrative credential used elsewhere in the file.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
93% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
88% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
76% confidence
Finding
python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal