ClawHub

arch-diagram

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it reads repository source for model-based summarization and the generated HTML depends on a remote Mermaid CDN.

Install only if you are comfortable with the agent reading repository source files and using them in model prompts. Avoid running it on repositories containing secrets, credentials, regulated data, or sensitive proprietary code unless those files are removed or sanitized first. Review the generated cache, /tmp artifacts, final HTML, and the CDN dependency if the output will be shared or opened in a sensitive environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The HTML loads Mermaid from an external CDN at runtime, which means the generated page executes third-party JavaScript whenever it is opened. This creates a supply-chain and integrity risk: if the CDN, dependency, or network path is compromised, arbitrary code can run in the viewer's browser.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill claims to output an independent static HTML page, but the page depends on a remote CDN script to function. While this is partly a product-integrity issue rather than a direct exploit by itself, it increases exposure by requiring network access and inheriting the risks of externally hosted executable code.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill metadata says it only supports running at the repository root and auto-scans the current directory, but the script accepts an arbitrary repo_path argument and recursively scans that location. In an agent setting, this scope expansion can let a caller or wrapper scan unintended directories and exfiltrate unrelated source code or secrets from elsewhere on the filesystem.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The scanner reads every matched source file and emits full contents to stdout, which is far broader data exposure than necessary for producing an architecture diagram. In agent pipelines, stdout is often captured, logged, cached, or forwarded to upstream models/services, so this behavior can leak proprietary code, embedded credentials, or other sensitive material at scale.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to scan repository files and send their contents to Claude for summarization, but does not require an explicit warning, consent step, or filtering for secrets/sensitive files. In real repositories this can exfiltrate proprietary source code, credentials, internal docs, or regulated data to an external model service, especially because scanning is broad and automatic.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal