ClawHub

BT Download

Security checks across malware telemetry and agentic risk

Overview

This torrent/download helper appears purpose-related, but it asks for broad system-changing authority and starts a network-facing background service without clear user control.

Install only if you are comfortable with a plugin that may install system packages and run a persistent aria2 background service. Before using it, verify the exact commands, require confirmation for sudo and daemon startup, bind RPC to localhost with authentication, and confirm how to stop the service and remove logs/download files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises operational capabilities that include shell, network, and environment access, but does not declare any permissions or trust boundaries. That makes host-level actions such as invoking aria2c, contacting external endpoints, and interacting with local files less transparent to the user and platform, increasing the chance of unexpected system modification or data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond a simple 'download assistant' and includes package installation, starting a background RPC service, changing DHT-related configuration, fetching data from GitHub, and reading local files. Those are materially different and more sensitive operations than the headline description suggests, so a user may authorize the skill without understanding that it can modify the host and expose a local RPC interface.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The tool can install system packages by invoking `sudo apt-get` through a shell command, which gives the skill authority to modify the host system well beyond ordinary BT download management. In an agent setting, this is dangerous because it can trigger privileged changes, package installation side effects, and unexpected escalation without explicit, informed user approval.

Missing User Warnings

High
Confidence
96% confidence
Finding
The tool performs privileged software installation without any explicit confirmation or warning flow visible in code. Silent or poorly disclosed system modification is especially risky for agent-executed tools because users may not realize the plugin can change packages and invoke `sudo` on their machine.

Missing User Warnings

High
Confidence
95% confidence
Finding
This tool starts a background `aria2c` service with `nohup`, enables RPC listening on all interfaces, writes logs to `/tmp`, and stores downloads to disk without an explicit user warning about persistent system changes. In an agent context, background services and file writes are materially sensitive actions that can outlive the session and expand attack surface.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal