ClawHub

Isp Throttle Detective

Security checks across malware telemetry and agentic risk

Overview

The skill performs the advertised ISP speed testing, local logging, and report generation without hidden credential use or unrelated behavior.

Install this only if you want active bandwidth tests. Review the endpoint list, byte limits, and any cron or launchd schedule before running it, especially on metered connections. The local logs and reports record timestamps and network performance history, so delete or limit ~/.isp-throttle-detective if you do not want that history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation clearly instructs the agent to invoke Python scripts that perform network access, local logging, report generation, and shell-style piped execution, yet the skill declares no permissions. That creates a transparency and consent problem: users or platforms may not realize the skill can write persistent files and access the network, which can lead to unexpected data collection or policy bypass.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script accepts endpoint definitions from configuration and then fetches them without restricting destination hosts or schemes. That makes the skill capable of arbitrary outbound requests beyond the declared speed-test targets, which can be abused for SSRF-style access to internal services, cloud metadata endpoints, or other unintended destinations if an attacker can influence config.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes persistent logging under a home-directory path and report generation, but it does not prominently warn users that timestamped historical network performance data will be stored locally. While the data is not highly sensitive by default, retaining activity history without clear disclosure can expose usage patterns and surprise users sharing a machine or syncing home directories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal