ClawHub

Net Detective

Security checks across malware telemetry and agentic risk

Overview

Net Detective is a transparent network diagnostic skill that runs expected connectivity tests and stores limited local history, with privacy and hardening caveats.

Install this only if you want active network troubleshooting. Expect it to run local network utilities, contact public diagnostic endpoints, and optionally keep a small local performance history. Review reports before sharing them because they can include hostname, local IP, gateway, traceroute hops, DNS timings, and speed results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def find_traceroute():
    for path in ["/usr/sbin/traceroute", "/sbin/traceroute", "/usr/bin/traceroute", "traceroute"]:
        try:
            subprocess.run([path, "--help"], capture_output=True, timeout=2)
            return path
        except FileNotFoundError:
            continue
Confidence
79% confidence
Finding
subprocess.run([path, "--help"], capture_output=True, timeout=2)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if m:
                gateway = m.group(1)
        else:
            r = subprocess.run(["ip", "route", "show", "default"], capture_output=True, text=True, timeout=5)
            m = re.search(r"default\s+via\s+([\d.]+)", r.stdout)
            if m:
                gateway = m.group(1)
Confidence
76% confidence
Finding
r = subprocess.run(["ip", "route", "show", "default"], capture_output=True, text=True, timeout=5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if PING_BIN is None:
        for path in ["/sbin/ping", "/bin/ping", "/usr/bin/ping", "ping"]:
            try:
                subprocess.run([path, "-c", "1", "-W", "500", "127.0.0.1"],
                               capture_output=True, timeout=2)
                PING_BIN = path
                break
Confidence
84% confidence
Finding
subprocess.run([path, "-c", "1", "-W", "500", "127.0.0.1"], capture_output=True, timeout=2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises activation on broad, everyday phrases like 'internet problems' and 'connection issues' without clear constraints or user-consent guardrails. That increases the chance the skill is invoked in situations where users did not intend to run active network diagnostics, which can trigger external network probes and collection of environment-specific data unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow and script descriptions indicate the skill performs DNS checks against third-party providers, traceroute/speed tests, and can record results over time, but the user-facing description does not disclose these behaviors. This creates a transparency and privacy risk because users may unknowingly cause network metadata to be transmitted externally and diagnostic results to be persisted locally as history.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal