ClawHub

Workspace Planning

Security checks across malware telemetry and agentic risk

Overview

This schedule-management skill appears useful, but it can modify the local environment, edit workspace files, and sync project data externally without enough clear scoping or consent language.

Install only if you are comfortable with a skill that may create a local Python environment, install PyYAML from package infrastructure, edit schedule YAML files, and send schedule/module information to Yunxiao. Prefer running it in a controlled workspace, review diffs before committing generated YAML, and use external sync only after checking exactly what data will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
VENV_DIR.parent.mkdir(parents=True, exist_ok=True)
        venv.create(str(VENV_DIR), with_pip=True)
        pip = str(VENV_DIR / "bin" / "pip")
        subprocess.check_call(
            [pip, "install", "--quiet", "pyyaml"],
            stdout=sys.stderr,
            stderr=sys.stderr,
Confidence
88% confidence
Finding
subprocess.check_call( [pip, "install", "--quiet", "pyyaml"], stdout=sys.stderr, stderr=sys.stderr, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill directs the agent to run shell commands (`python3 ...`, `pip install pyyaml`) but does not declare shell/code-execution permissions. That creates an undeclared capability boundary: users and policy layers may believe the skill is read-only project-planning guidance when it can actually execute local commands against the workspace.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill description overstates and misstates behavior: it implies schedule management and Yunxiao sync, but the documented operations also include environment modification (`pip install`), filesystem scanning, and workflows that only validate rather than perform updates. This mismatch can cause users or orchestrators to authorize the skill under false assumptions, leading to unexpected local changes, overbroad file access, or unsafe delegation to other tools.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This skill is supposed to perform deterministic YAML schedule operations, but it also creates a virtual environment, installs a package, and re-executes itself. That behavior is unrelated to the core task and increases danger in agent contexts because simply invoking the skill can cause network access and persistent environment changes, which are higher-risk capabilities than expected from planning utilities.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs creation and editing of YAML files in the workspace without an explicit warning or confirmation step before modifying project data. In a planning tool, such edits may seem routine, but silent mutation of repository files can still corrupt schedules, overwrite comments, or create unauthorized changes that are later committed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Yunxiao sync workflow sends schedule/module data to an external system but does not provide a clear privacy or data-transmission warning. Because schedule data can include project structure, milestones, and implementation details, exporting it without explicit disclosure and confirmation risks unintended leakage of sensitive internal information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal