ClawHub
Back to skill

Security audit

Scan Updates

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated scan-and-update purpose, but it requires broad Gitea admin credentials and performs persistent remote writes that are not tightly scoped.

Install only in a dedicated PaperKB/Gitea environment where you are comfortable giving the skill a narrowly controlled service account. Avoid a site-wide admin token if possible, replace the sample HTTP Gitea URL with your own trusted HTTPS endpoint, pin dependencies, and restrict where scan output and repository writes are allowed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to run local Python scripts, read and write files under /tmp, and interact with external Git-based sources, but the frontmatter does not declare any permissions or capability boundaries. This creates a mismatch between documented behavior and runtime power, which can lead to over-privileged execution, weak reviewability, and accidental abuse of file, environment, or network access paths.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This helper includes repository creation and collaborator-management functions that exceed the stated purpose of scanning and updating source state. In a skill expected to inspect repositories, bundled administrative write capabilities create unnecessary privilege and expand the blast radius if the skill is misused, compromised, or invoked unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code reads a site-wide admin token and includes a check for site ადმინისტратор capabilities even though the described skill only needs to scan registered sources. Using broad administrative credentials for a low-privilege workflow violates least privilege and makes any bug or abuse path much more dangerous, potentially exposing or modifying data across the entire Gitea instance.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest describes a skill focused on scanning registered Gitea or Obsidian sources for file changes, creating incremental compilation jobs, and updating source fingerprints. This module instead creates and manages a separate "system-config" repository containing users, teams, chat bindings, permissions, active tasks, and job state, which is substantially broader administrative functionality than source-update scanning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Repository creation and collaborator changes are remote state-changing actions with security consequences, and this helper exposes them without any built-in approval, policy check, or safety gate. In the context of a scanning skill, these functions are especially risky because they enable unexpected privilege propagation or unauthorized repository provisioning if invoked by mistake or through abuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The helper can create or overwrite remote repository files directly, and those write operations are exposed as generic utility functions with no guardrails. In a skill whose purpose is source scanning, unrestricted remote writes increase the chance of accidental tampering, malicious modification, or persistence of harmful content in repositories.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script accepts a user-controlled --save_to path and writes the full scan result there without validating that the destination stays within an approved directory. Because the result includes repository metadata, file fingerprints, commit information, and chat/binding context, an attacker or low-privilege caller could overwrite arbitrary writable files or exfiltrate sensitive data to unexpected locations.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
_load_env()

GITEA_URL = os.environ.get("GITEA_URL", "").rstrip("/")
ADMIN_TOKEN = os.environ.get("GITEA_ADMIN_TOKEN", "")
BOT_USERNAME = os.environ.get("GITEA_BOT_USERNAME", "AIFusionBot")
Confidence
70% confidence
Finding
os.environ.get("GITEA_ADMIN_TOKEN

Credential Access

High
Category
Privilege Escalation
Content
except ImportError:
        return
    here = Path(__file__).resolve().parent
    for candidate in (here / ".env", here.parent / ".env"):
        if candidate.exists():
            load_dotenv(candidate)
            return
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
except ImportError:
        return
    here = Path(__file__).resolve().parent
    for candidate in (here / ".env", here.parent / ".env"):
        if candidate.exists():
            load_dotenv(candidate)
            return
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
#!/usr/bin/env bash
set -e
python3 -m pip install -r requirements.txt
if [ ! -f .env ]; then cp env-example.txt .env; fi
echo "setup complete"
Confidence
60% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
97% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests
python-dotenv
Confidence
95% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
68% confidence
Finding
python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal