ClawHub

GraphRAGBuilder

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it needs Review because running it can install unpinned packages and browser components into the host environment and send crawled content to Claude.

Install and run this only in a virtual environment or container, not a system Python. Review generated server.py and mcp_config.json before adding them to Claude Desktop. Crawl only content you are allowed to store and send to Anthropic, use a budget-limited API key, and avoid indexing private or authenticated docs unless you have explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (24)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
missing = [pkg for mod, pkg in deps.items() if not _import_ok(mod)]
    if missing:
        print(f"Installing: {', '.join(missing)}...")
        os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

def _import_ok(mod):
    try:
Confidence
96% confidence
Finding
os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
missing = [pkg for mod, pkg in deps.items() if not _import_ok(mod)]
    if missing:
        print(f"Installing: {', '.join(missing)}")
        os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

def _import_ok(mod):
    try:
Confidence
96% confidence
Finding
os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if missing:
        print(f"Installing missing packages: {', '.join(missing)}")
        os.system(f"pip install {' '.join(missing)} --break-system-packages -q")
        print()

_ensure_deps()
Confidence
95% confidence
Finding
os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from playwright.sync_api import sync_playwright, TimeoutError as PWTimeout
    except ImportError:
        print("     Installing playwright...")
        os.system("pip install playwright --break-system-packages -q")
        os.system("playwright install chromium --with-deps 2>&1 | tail -5")
        from playwright.sync_api import sync_playwright, TimeoutError as PWTimeout
Confidence
97% confidence
Finding
os.system("pip install playwright --break-system-packages -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
except ImportError:
        print("     Installing playwright...")
        os.system("pip install playwright --break-system-packages -q")
        os.system("playwright install chromium --with-deps 2>&1 | tail -5")
        from playwright.sync_api import sync_playwright, TimeoutError as PWTimeout

    try:
Confidence
98% confidence
Finding
os.system("playwright install chromium --with-deps 2>&1 | tail -5")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if not __import_ok(mod)]
    if missing:
        print(f"Installing: {', '.join(missing)}")
        os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

def __import_ok(mod):
    try:
Confidence
95% confidence
Finding
os.system(f"pip install {' '.join(missing)} --break-system-packages -q")

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill broadens its behavior from embedding construction into environment/package management by auto-installing dependencies at runtime. In an agent skill context this is more dangerous because users may expect document processing, not host modification or network package retrieval; that creates avoidable supply-chain and integrity risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A graph-construction utility should process existing local JSON data, but this code additionally installs packages from the network by invoking pip. That extra capability is unrelated to the core purpose and increases danger in this skill context because users may run it on development machines expecting offline data processing, not environment modification and third-party code installation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill bootstraps dependencies at runtime through shell commands, meaning a normal crawl can mutate the local Python environment and pull code from remote package repositories on demand. In an MCP/agent skill, that behavior is more dangerous than in a typical CLI utility because the action may be triggered indirectly by user requests and executed in shared environments.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The Playwright fallback performs runtime installation of both the Python package and Chromium browser dependencies when encountering JS-rendered pages. Because crawling arbitrary websites is the core function of this skill, an attacker can more easily drive execution into this branch, making environment mutation and unreviewed dependency installation especially risky.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill installs Python packages automatically despite being a documentation concept-extraction tool, which is unnecessary privilege and expands attack surface. In this context, silent package installation is more dangerous because agent skills may run in trusted environments and can unexpectedly alter system state or introduce malicious or compromised dependencies.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generated MCP server automatically installs Python packages at runtime using a shell command (`os.system("pip install ...")`). That gives generated code an unnecessary environment-modification capability beyond serving local graph/search functionality, and it can execute network-dependent package installation on first run without explicit user approval. In the skill context, this is more dangerous because the tool generates code intended for users to run locally and to wire into Claude Desktop, increasing the chance the behavior is trusted and executed on a host machine.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script advertises a 'self-contained' generated server, but the emitted `server.py` mutates the host environment by installing packages at runtime. This is a security-relevant mismatch in behavior and expectation: users may believe they are only running a local knowledge server, while the program performs package management actions that can alter the interpreter environment, pull code from external indexes, and affect system stability. The MCP-server-generation context makes this risk more significant because the output is designed for repeated local execution as an integrated tool.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description and idea indicate activation on very broad user language around scraping, indexing, or making docs searchable, which can cause the skill to trigger in many contexts without clear boundaries or user confirmation. In a skill that performs website crawling, transcription ingestion, and code/server generation, overbroad triggering increases the chance of unintended invocation on sensitive, copyrighted, or inappropriate targets and may launch high-impact actions from ambiguous requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plan explicitly states that the orchestrator will install missing Python dependencies at runtime, which modifies the user's local environment without an explicit consent step or prominent warning. This is dangerous because it can unexpectedly execute package installation logic, alter system state, and pull code from external package repositories in contexts where users may assume the skill is read-only.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The Playwright fallback means the skill may invoke browser automation and potentially trigger Chromium installation/runtime behavior without clearly informing the user. That expands the execution surface and can cause unexpected downloads and execution of browser tooling, which is especially risky in restricted or tightly controlled environments.

Missing User Warnings

High
Confidence
97% confidence
Finding
The concept extraction phase sends crawled content, section titles, and source URLs to the Claude API, but the plan does not disclose this third-party transmission or require consent. This creates a real data exposure risk because users may crawl internal, licensed, or sensitive documentation and unknowingly transmit that material to an external AI provider.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The README encourages users to crawl arbitrary external websites and then merge generated MCP configuration into their local Claude Desktop config, but it does not clearly warn about the trust boundary change, network access, or the risks of installing a generated local server. In this skill context, that omission matters because the project’s purpose is to ingest untrusted web content and emit runnable local tooling, which can normalize unsafe installation behavior even if the README itself contains no direct exploit.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger guidance is unusually broad, telling the agent to invoke the skill even for generic phrases like 'scraping docs' or 'making docs searchable in Claude.' Over-broad auto-invocation can cause the skill to run in contexts where the user did not intend website crawling, external API use, local code generation, or dependency installation, increasing the chance of unsafe or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the user to set ANTHROPIC_API_KEY and run concept extraction but does not clearly warn that crawled page content will be sent to an external LLM API for processing. If the target documentation contains proprietary, sensitive, or access-restricted material, users may unintentionally exfiltrate that content to a third party service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script executes a shell-based install path automatically, with no confirmation, opt-in, or isolation. This is risky in an agent/skill setting because simply invoking the tool can trigger unexpected system changes and network access, violating least surprise and increasing the blast radius if a package source is malicious or the environment is sensitive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script executes `pip install` automatically without prompting the user or obtaining approval. This is dangerous because it performs network access and code installation as a side effect of running a local data-processing tool, which can violate user expectations and organizational controls even if no direct command injection exists.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script runs a package-install shell command automatically and only prints a status message, providing no informed consent, no prompt, and no indication of environment impact. This is unsafe operationally because users or higher-level agents may execute the skill expecting content processing, not host modification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The generated server executes `pip install` automatically and silently, with no confirmation prompt or meaningful warning. Unprompted package installation can fetch and execute third-party code, change the local Python environment, and surprise users who only intended to run a documentation search server. In this skill's context, that behavior is especially risky because the generated file is presented as ready-to-run infrastructure and may inherit user trust.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal