ClawHub

Aws S3

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AWS S3 SDK bundle, but it can give agents broad live S3 access through whatever AWS credentials the gateway container already has.

Install only in an environment with a tightly scoped IAM role or AWS profile. Limit permissions to specific buckets, prefixes, and required actions, verify the release tarball checksum, and require explicit user approval before agents run S3 write or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly states that the skill uses the AWS SDK default credential provider chain and will automatically resolve credentials via EC2/ECS instance metadata (IMDS). In an agent environment, this can cause the package to silently access host or task-role credentials without a clear user-facing warning, increasing the risk of unintended cloud access or privilege use if the skill is invoked in a sensitive runtime.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation explicitly shows code that performs live AWS S3 operations and explains that credentials may be sourced automatically from instance metadata, but it does not clearly warn users that using the skill will make outbound AWS API calls and may read bucket contents. In an agent context, this omission is security-relevant because users may assume the skill is a local SDK bundle only, when in practice it can access and transmit sensitive cloud data using ambient credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal