ClawHub

Remote Skill Engine

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent remote-skill caching purpose, but it imports remote instructions into the active skill path with weak trust controls.

Install only if you intentionally want remote skills to be promoted into your active local skill set. Use reviewed, pinned sources; avoid arbitrary URLs; do not use these helpers on untrusted networks; inspect downloaded SKILL.md and scripts before use; and remove cached symlinks if you do not want remote instructions to persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs sensitive actions including network fetches, local file writes, symlink creation, and shell execution, yet declares no permissions or user-facing safety boundaries. This creates a trust gap where a user or host system may invoke behavior with broader capability than expected, especially dangerous because the content being fetched is itself executable skill logic from remote sources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose says the skill caches remote skills for offline use, but the actual behavior includes direct remote discovery, metadata fetching, comparison, and manual execution of remotely fetched workflows, including arbitrary HTTP(S) sources. That mismatch weakens informed consent and can cause the agent to perform riskier network and execution behavior than the user reasonably expects from the description.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documentation says remote skills can be used like locally installed skills or without installing, but the example instructs the agent to fetch a remote SKILL.md and then execute its workflow manually. That effectively treats untrusted remote instructions as operational input, increasing prompt-injection and unsafe-action risk while obscuring that this is not a passive cache-only operation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The download helper explicitly disables both TLS certificate validation and hostname verification, which removes authentication from HTTPS. In this skill's context, downloaded SKILL.md and scripts are cached locally, made executable, and symlinked into the active skills directory, so a man-in-the-middle attacker can replace remote content with malicious code or instructions that will later be trusted and executed.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
By setting check_hostname=False and verify_mode=ssl.CERT_NONE, the code performs unauthenticated remote downloads while presenting them as normal HTTPS fetches. Because this utility stores remote skills for offline use and later exposes them as if locally installed, the trust impact is amplified: compromised downloads can persist and be used long after the network attack.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code explicitly disables both certificate validation and hostname verification before fetching remote content over HTTPS. This allows a machine-in-the-middle attacker or malicious proxy to impersonate the remote host and serve forged skill metadata, undermining the trust boundary for a feature that imports remote skills and making the broader skill-loading context more dangerous.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Very broad trigger phrases such as asking what skills exist or what a skill does can cause this skill to activate during ordinary exploratory conversation. Because activation can lead to network access, fetching remote content, and local caching actions, unintended triggering expands the attack surface and may cause the agent to process adversarial remote instructions without a deliberate install decision.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase 'Get <skill> from web' is underspecified and can match many benign requests, leading the agent to fetch and potentially cache remote content from external sources. In the context of a skill that can create local symlinks and make fetched skills act like installed ones, ambiguous invocation materially increases accidental unsafe use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes remote fetching, syncing, and registry search without a clear warning that these actions contact third-party services and expose request metadata such as queried skill names, timing, and possibly repository targets. In a skill that routinely reaches out to GitHub and other registries, lack of privacy and integrity disclosure makes social engineering and supply-chain abuse more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes remote fetching, syncing, and registry search without a clear warning that these actions contact third-party services and expose request metadata such as queried skill names, timing, and possibly repository targets. In a skill that routinely reaches out to GitHub and other registries, lack of privacy and integrity disclosure makes social engineering and supply-chain abuse more likely.

Missing User Warnings

High
Confidence
98% confidence
Finding
TLS verification is silently disabled without any explicit warning to the user, creating a false sense of security around remote skill retrieval. In a system that imports remote skills into a local trusted workspace, this materially increases the risk of supply-chain compromise through network interception or hostile proxies.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently fetches attacker-controlled remote content and suppresses TLS certificate validation, exposing users to man-in-the-middle tampering and retrieval of untrusted instructions without meaningful warning. In this skill context, that is more dangerous because the whole purpose is to consume remote skills, so users may be predisposed to trust and act on whatever content is displayed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal