ClawHub

Intranet

Security checks across malware telemetry and agentic risk

Overview

This is a real local intranet server, but its optional CGI feature has security gaps that can execute plugin code more broadly than the documentation says.

Install only if you are comfortable reviewing the served webroot and every mounted plugin directory. Keep the default localhost bind, avoid enabling CGI for untrusted content, do not rely on plugin hash settings as the only protection in this version, and treat workspace/intranet/.conf and config.json as sensitive when tokens are used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
})

        try:
            result = subprocess.run(
                [sys.executable, str(actual_script)],
                capture_output=True,
                timeout=_CGI_TIMEOUT,
Confidence
94% confidence
Finding
result = subprocess.run( [sys.executable, str(actual_script)], capture_output=True, timeout=_CGI_TIMEOUT, env=env,

Tp4

High
Category
MCP Tool Poisoning
Confidence
76% confidence
Finding
The description understates the operational and security-relevant behavior of the skill by presenting it as a lightweight local file server while it also supports authentication, session cookies, daemon lifecycle management, and optional LAN exposure. This can mislead users into deploying it with a weaker threat model than appropriate, increasing the chance of unsafe exposure or misconfiguration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
When a token is supplied, the script persists it into workspace/intranet/.conf in plaintext so later status/start operations can read it back. Storing authentication material on disk without restrictive permissions, encryption, or a clear warning increases the chance of credential disclosure through local file reads, backups, shared workspaces, or accidental check-in; in this skill's context, the token may protect a locally exposed HTTP server, so theft could allow unauthorized access if the server is reachable beyond loopback.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The CGI environment is initialized with `os.environ.copy()`, which forwards the full parent process environment to executed scripts. If CGI code is compromised, untrusted, or attacker-controlled, it can read secrets such as API keys, tokens, credentials, workspace paths, and operational metadata from inherited environment variables, greatly increasing blast radius beyond the web content itself.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal