ClawHub
Back to skill

Security audit

Query Kb

Security checks across malware telemetry and agentic risk

Overview

The skill mainly answers knowledge-base questions, but it also requires broad Gitea admin-style access and can create or update remote repositories and logs during normal use.

Review before installing. Use a least-privilege Gitea token if possible, restrict it to the intended KB and system-config repositories, and assume user IDs plus full questions will be stored in repository history. Operators should separate admin/setup functions from normal query use or require explicit approval for repository creation, collaborator changes, and file writes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill invokes local scripts and relies on capabilities such as environment access, file reads, and likely network-backed repository access, yet no explicit permissions are declared. That creates a hidden trust boundary: reviewers and platform controls may assume a narrower capability set than the skill actually uses, increasing the chance of over-privileged execution or unnoticed data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a narrowly scoped query skill, but the described backing behavior includes administrative repository management, collaborator changes, control-plane state management, and broader file-content utilities. This mismatch is dangerous because it can conceal privileged operations behind a benign interface, enabling unauthorized data access or infrastructure changes if the skill is triggered or reused in unintended ways.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is described as a read-only knowledge-base question-answering capability, but this module can write back to repository files via g.put_file. That creates an unnecessary state-changing capability that could alter KB contents or metadata if exposed through the agent flow, violating least privilege and expanding the blast radius from answering questions to modifying source repositories.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
regen_index reconstructs and writes index.md, which is outside the stated scope of answering KB questions with source grounding. Even if intended as maintenance, embedding this behavior in a QA skill allows presentation-layer content to be rewritten automatically, creating opportunities for unintended content changes, corruption, or abuse through crafted catalog data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Repository mutation is not justified by the declared purpose of a question-answering skill and materially increases risk. Any compromise, prompt-injection-driven action, or logic bug in the broader agent could use these functions to modify repository state, tamper with KB artifacts, or poison future answers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatic regeneration of index.md is a content-maintenance feature, not a requirement for answering questions. Including it in the same codebase and privilege boundary as QA broadens the attack surface and allows a query-oriented agent to affect user-visible repository artifacts beyond its advertised role.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This module exposes broad Gitea administrative and mutation capabilities including admin-user repo creation, collaborator management, and remote file writes, which significantly exceed the stated purpose of a knowledge-base query skill. In this context, bundling privileged write/admin operations into a read-oriented skill increases the blast radius if the skill is misused, prompted unexpectedly, or compromised, enabling unauthorized repository creation or content modification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script logs full user questions, scope, hit metadata, and a user identifier into a repository file, which expands the skill from answering KB questions into persistent collection of user content. Because natural-language queries often contain secrets, personal data, or sensitive business context, storing them in a repo creates unnecessary retention and disclosure risk beyond the core function of the skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code sends user-provided query contents and identifiers to a remote repository via g.put_file, giving the skill write capability that is not necessary for answering a knowledge-base query. If the repository is broadly accessible, misconfigured, or later exposed, sensitive user questions and identities could be leaked or mined.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This module provisions and mutates a remote 'system-config' repository through bot credentials, creating and updating control-plane state such as users, teams, permissions, jobs, and bindings. For a skill whose stated purpose is answering grounded KB queries, this is unnecessary privileged behavior and materially expands the attack surface: if invoked or influenced by untrusted inputs, it could enable unauthorized state changes, persistence, or abuse of the bot's repository access.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code explicitly manages administrative state including users, teams, chat bindings, jobs, active tasks, and permissions, which is unjustified for a KB query skill that should primarily read indexed content and return grounded answers. In this context, such capabilities are dangerous because they introduce identity and authorization surfaces that could be abused to alter memberships, permissions, or workflow state, far beyond the declared functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill logs the user's identifier, full question, scope, and hit pages without any stated notice, retention limit, minimization, or access-control policy. Those logs can expose sensitive personal or team knowledge queries and create a secondary data store that may be accessed, retained, or repurposed beyond user expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
These helpers create repositories through admin and user API endpoints, a high-impact remote side effect unrelated to answering questions from a knowledge base. In the skill context, this is especially dangerous because a user would reasonably expect retrieval, not infrastructure mutation, so misuse could silently create persistent remote resources under privileged identities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file-writing helpers can create or overwrite repository contents remotely, creating a direct path to tamper with knowledge-base data or other repository files. For a query-focused skill, hidden write capability is especially risky because prompt abuse, accidental invocation, or compromised orchestration could alter evidence sources, plant misleading content, or modify code/configuration in repos accessible by the token.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code records the full query and user identifier without any indication of notice, consent, or user-facing disclosure in the logging path. In a personal/team KB context, users may reasonably submit confidential material, so silent persistence of that text materially increases privacy and compliance risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
Persisting free-form questions plus identifiers in log.md creates a durable natural-language record that may contain credentials, internal project names, customer data, or regulated information. Repositories are poor sinks for this kind of content because they preserve history, are easy to replicate, and make later deletion or selective purging difficult.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
95% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
92% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
72% confidence
Finding
python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal