ClawHub

Agent Attestation

Security checks across malware telemetry and agentic risk

Overview

This identity and attestation skill is purpose-aligned, but it needs Review because its trust claims and local key storage are materially unsafe.

Review before installing. Use this only as experimental identity or reputation tooling unless the publisher fixes real signature verification, documents the trust model, and protects local private keys and identity records. Avoid relying on its attestations for security-sensitive decisions in the current form.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code claims to provide portable attestation with Ed25519 signatures, but it generates only a predictable truncated SHA-256 digest over unsigned JSON and stores it as a 'signature'. This provides no authenticity because anyone can forge or recompute the value after modifying the attestation, making reputation and trust decisions trivially spoofable; the minimal input handling also leaves the system open to malformed or deceptive records.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code does not implement Ed25519 signing at all; it generates a 16-hex-character truncated SHA-256 digest over the attestation object, which is not a digital signature and provides no authenticity because anyone can recompute it. In a reputation or attestation system, this lets an attacker forge attestations, impersonate attestors, and manipulate trust scores, while the claimed input validation is also materially overstated because only Unicode NFC normalization is applied to one field.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The inline comment explicitly confirms that the implementation is creating only a hash-based 'signature,' contradicting the skill metadata's claim of Ed25519 signatures. While the comment mismatch itself is not the root flaw, in this security-sensitive attestation context it increases the likelihood that integrators will wrongly trust forged or unverifiable attestations as cryptographically authenticated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code generates Ed25519 private keys and writes them to disk in plaintext PEM form using `NoEncryption()` without setting restrictive file permissions or providing any warning to the operator. In an agent skill context, these keys underpin identity and attestation trust, so local disclosure or accidental inclusion in backups/workspaces could let an attacker impersonate agents and forge valid attestations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists identity and reputation records to disk as plaintext JSON, including agent name, email, key fingerprint, and other metadata, with no encryption, no permission hardening, and no runtime safeguards. In this skill’s context, the stored data is specifically meant to survive handoffs and may include long-lived identity material, so compromise of the host, shared workspace access, backups, or other local users could expose sensitive agent identity data and enable correlation, impersonation support, or privacy loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal