ClawHub

Python Sdk

Security checks across malware telemetry and agentic risk

Overview

This is coherent SDK documentation, but it should be reviewed because it grants broad local Python execution and includes unsafe examples for agent tools, public file uploads, and persisted chat history.

Install only if you are comfortable with a documentation skill that can run local Python commands when invoked. Protect API keys and webhook secrets, upload only files you intentionally want sent to inference.sh, avoid public uploads for sensitive content, and do not copy the eval() or unvalidated tool-execution examples into production agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The handler example uses eval() on tool-controlled input (call.args['expression']), which can execute arbitrary Python code rather than safely evaluating math. In an SDK reference, readers are likely to copy this pattern into real agents, turning untrusted model- or user-derived input into direct code execution.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The complete example again demonstrates eval(call.args["expression"]) in a tool handler, normalizing arbitrary code execution as an SDK usage pattern. Because agent/tool inputs may be influenced by prompts, users, or model output, this creates a realistic path to remote code execution in applications built from the sample.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples encourage uploading local files and passing raw file contents to a remote AI service, but they do not clearly warn that local data will leave the host system. In an agent-skill context, this can normalize exfiltration of sensitive files such as images, documents, or embedded metadata, especially when users copy examples without understanding the trust boundary.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The conversation memory example persists full chat history to a local JSON file and later replays it without any warning about sensitive data retention, consent, minimization, or prompt-injection persistence. In an agent SDK context, saved transcripts may contain secrets, personal data, or prior malicious instructions that get automatically reintroduced in later sessions, creating privacy and integrity risks.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The streaming example executes tool calls directly in the callback via execute_tool(call.name, call.args) with no warning that tools may have external side effects such as file, network, or system actions. In an agent-development SDK, this can normalize unsafe patterns where untrusted model-directed tool invocations are run automatically during streaming UX flows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation normalizes automatic upload of local file paths and downloading remote result URLs without warning users that local data will be transmitted to a remote service and that remote content is being fetched back into the environment. In an SDK used for agent development and automation, this can lead to unintended disclosure of sensitive local files or unsafe ingestion of untrusted remote content when developers copy examples verbatim.

Missing User Warnings

High
Confidence
97% confidence
Finding
The example shows `public=True` for uploaded files, making them publicly accessible, but provides no warning that this may expose sensitive documents or media to anyone with the resulting URL or broader public access depending on backend semantics. Because this is reference documentation for a Python SDK, developers may treat this as a recommended default and unintentionally publish private data.

Session Persistence

Medium
Category
Rogue Agent
Content
## Conversation Memory Pattern

Maintain context across sessions:

```python
import json
Confidence
81% confidence
Finding
Maintain context across sessions

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal