ClawHub

Find Service Providers

Security checks across malware telemetry and agentic risk

Overview

The skill’s core ServiceGraph lookup purpose is coherent, but its credential-loading instructions can automatically execute local `.env.local` shell code without clear user consent.

Review before installing. Prefer using the ServiceGraph MCP/OAuth flow or an already-exported `SERVICEGRAPH_API_KEY`; do not let the agent source `.env.local` unless you fully trust that file’s contents. Confirm any paid unlocks before spending credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to execute a shell snippet that sources `.env.local` before making network requests. Sourcing a local shell file executes arbitrary shell code, not just variable assignments, so a malicious or compromised repository can run commands and exfiltrate secrets under the guise of credential loading. The stated goal is API authentication for firm discovery, but this mechanism expands privilege to arbitrary local code execution.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill claims credentials must never be read into context, but then directs the agent to source `.env.local` through a shell wrapper. Even if the token value stays out of chat, the act of sourcing executes arbitrary shell content from the workspace, creating a code-execution path that can steal secrets, alter commands, or persist malware. The contradiction is dangerous because it frames the behavior as security-conscious while introducing a powerful unsafe primitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the agent to source `.env.local` without warning that this executes arbitrary local shell code. In an agent setting, users may reasonably expect a config file read, not command execution, so this can lead to unintended execution of attacker-controlled repository content and subsequent credential or data compromise. The absence of a prominent warning increases the likelihood of unsafe use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal