ClawHub

data-bird

Security checks across malware telemetry and agentic risk

Overview

This data-analysis skill mostly does what it claims, but it gives the agent overly broad network-fetch authority, including local and internal URLs, through shell commands.

Install only if you are comfortable with the agent being able to download user-provided URLs from the machine where it runs. Prefer trusted local files or public HTTPS CSV/Excel links, avoid localhost/private-network/cloud-metadata URLs, keep MySQL disabled unless using read-only scoped credentials, and treat generated HTML reports as active content before opening or sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs the agent to use shell-based curl against arbitrary URLs, including intranet and localhost, and to avoid safer fetch tooling. This is a classic server-side request forgery pattern that can be used to probe internal services, cloud metadata endpoints, localhost-only admin interfaces, or other network resources reachable from the agent host, far beyond normal CSV/Excel analysis needs.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The public skill description says it handles workspace files and HTTP(S)-downloaded CSV/Excel, but the implementation also allows arbitrary MySQL connections using user-supplied host, port, credentials, database, and SQL/table inputs. This creates undeclared network/database access capability and can expose the agent to SSRF-like internal network reachability, unauthorized data access, and execution of arbitrary read queries against databases that users or downstream tooling did not expect this skill to be able to contact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal