ClawHub

pc-assistant

Security checks across malware telemetry and agentic risk

Overview

This PC diagnostics skill appears local-only, but it should be reviewed carefully because it saves very sensitive computer and account details by default.

Install only if you are comfortable with a deep local inventory. Run it as a regular user, store reports in a private directory with restrictive permissions, avoid sharing reports without redaction, and avoid scheduled runs unless you need historical tracking. Treat the config file used by the scheduler as executable shell code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Claiming the skill is read-only is inaccurate if it writes reports and supports scheduled automated execution with retention management. Users and downstream agents may rely on the read-only claim when deciding whether execution is safe, leading to uninformed consent and unexpected persistence of sensitive system information.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The statement that the script is 'read-only and safe to run multiple times' conflicts with documented creation of timestamped reports and optional deletion of older ones. This can mislead users into believing there are no side effects, when repeated execution may accumulate or remove files containing sensitive diagnostics.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file content documents a ClawHub skill-registry/publishing CLI, not a read-only PC diagnostics assistant as declared in the skill metadata. This mismatch is dangerous because it can mislead users and reviewers into installing a skill with materially different capabilities, including remote registry interaction and skill-management operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented commands include publish, delete, hide, undelete, unhide, ban-user, set-role, and sync/publish behaviors that are unrelated to local read-only diagnostics. In the context of a purported PC healthcheck skill, these capabilities indicate hidden administrative or supply-chain impacting functionality that could be abused to modify registry state, affect other users, or distribute altered skills.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Login/token handling and configurable site/registry URLs are not justified for a local read-only diagnostics skill. These features create an unnecessary path for credential collection, token storage, or outbound connections to attacker-controlled endpoints if the skill is misrepresented or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as read-only diagnostics, but it creates persistent plaintext report files under a user-supplied or default directory and stores extensive host details there. This is a real security/privacy issue because the persistence and storage of collected data materially changes the risk profile from transient diagnostics to local data accumulation that may be readable by other users or later exfiltrated.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This section collects SSH authorized_keys, known_hosts, login history, and account data, which goes well beyond ordinary PC health diagnostics. In the context of a diagnostic skill advertised as read-only health checking, gathering access material and user security artifacts is unjustified and exposes sensitive trust relationships and account information.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Dumping environment variables and shell history can reveal tokens, credentials, internal URLs, command usage, and private activity. For a healthcheck skill, this is unnecessary and dangerous because it converts highly sensitive ephemeral user context into a persistent report file.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Enumerating SSH authorized_keys and known_hosts is a true credential/access exposure issue even though private keys are not directly read. These files reveal trusted principals, reachable infrastructure, and remote access configuration, which can aid lateral movement or targeted attacks if the report is exposed.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Inspecting /mnt/c/Users and Windows program directories via WSL extends the skill into cross-OS inventory of user and installed-software data beyond core health metrics. While less severe than credential collection, it still exposes personal usernames and installed applications that may be sensitive in enterprise or shared-device contexts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Very broad trigger phrases like 'how is my PC doing?' or 'is everything ok?' increase the chance the skill runs in situations where the user did not intend a full diagnostic sweep. In this context, accidental invocation is more dangerous because the skill may gather and persist sensitive system and account information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The output documentation describes report contents and storage but does not clearly warn that reports may include sensitive host, network, account, and security details. If such reports are saved in predictable locations, they may be exposed to other local users, backups, or accidental sharing.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Documenting automatic cleanup without a clear warning can cause users to enable deletion behavior without realizing old reports will be removed. While lower severity than data collection issues, this still creates unexpected file system side effects and possible loss of diagnostic history.

Vague Triggers

Low
Confidence
82% confidence
Finding
The sync command is described broadly as scanning local skills and publishing new or updated ones, without constraints, approval flow, or scope limitations. In a mislabeled skill, that ambiguity increases the risk of unintended or unauthorized publication of local content and supports supply-chain abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script begins creating output files without any prominent disclosure that the reports may contain sensitive system, network, account, and user-context information. Lack of informed consent and sensitivity warning is a real security design problem because users may share or retain the generated files without realizing their contents are confidential.

Missing User Warnings

High
Confidence
99% confidence
Finding
Reading SSH access material and related security data without explicit disclosure is especially dangerous because these artifacts are security-relevant and not needed for ordinary health diagnostics. Users would not reasonably expect a PC healthcheck to copy remote access trust data into a report.

Missing User Warnings

High
Confidence
99% confidence
Finding
Environment dumps and shell history can contain API keys, passwords pasted into commands, customer names, repository URLs, and operational activity. Capturing them silently into a report is a significant privacy and secret-handling failure, especially for a tool presented as diagnostics rather than forensics.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script executes `source "$CONFIG_FILE"` on a path controllable by an environment variable or command-line option, which means arbitrary shell code in that file runs with the privileges of the scheduler. If this script is invoked manually, by cron, or with elevated permissions, an attacker who can influence the config path or file contents can achieve arbitrary command execution.

Ssd 3

High
Confidence
99% confidence
Finding
The script aggregates sensitive user, network, process, account, SSH, environment, and history data into plaintext report files. In context, this is the core vulnerability: even if collection is local-only, plaintext persistence creates a high-risk artifact that can be read by other local users, backed up, shared, or later stolen.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal