ClawHub

IOC 智能巡检报告

Security checks across malware telemetry and agentic risk

Overview

This reporting skill is not destructive, but it ships a real-looking remote database login and queries operational data beyond what the docs clearly disclose.

Review before installing or running. Remove the bundled config.yaml credential, rotate it if it is real, replace it with your own least-privilege read-only database account, and inspect the SQL queries first, especially the personnel access query. Treat generated reports as potentially mock or incomplete unless the data source is explicitly verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation indicates use of environment variables, file reads, and file writes, but no explicit permissions are declared. This creates a transparency and least-privilege problem: users and platforms cannot accurately assess what the skill can access before installation or execution. In a skill that reads database credentials and writes reports, undeclared capabilities increase the risk of overbroad access and misuse of local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
A description-behavior mismatch is security-relevant because it undermines informed consent and can conceal access to data outside the user's expectations, such as personnel access records. The mismatch also suggests the skill may query different tables than advertised, meaning operators may grant database access believing it is limited to alarms and device status when it actually touches other operational or potentially sensitive datasets.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The report always states that its data source is the real-time IOC database, but the script silently falls back to generated mock data when the database is unavailable. In an operational reporting context, this can mislead operators into trusting fabricated metrics, causing incorrect decisions, missed incidents, or compliance/reporting issues.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill instructs users to connect to PostgreSQL and read real-time operational data without warning that such data may include sensitive building, operational, or personnel-related information. In an IOC context, this can expose infrastructure details, alarm history, work orders, and access patterns, increasing confidentiality and operational security risk if deployed carelessly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The configuration example uses a database password placeholder but provides no handling guidance for secrets. Without clear instructions, users may hardcode credentials in config files, store them with weak permissions, or accidentally commit them, leading to database compromise and unauthorized access to operational data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal