ClawHub

Phy Iac Sec Audit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local IaC scanner with no exfiltration or persistence, but its documentation overstates security coverage in ways that could mislead users relying on it as a gate.

Install only if you treat it as a lightweight local Terraform-oriented checker, not a comprehensive IaC security auditor. Do not rely on a clean result for CloudFormation, Pulumi, or Lambda trust-policy assurance, and keep scan output private because it may include secret-like snippets from your files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill materially overstates its security coverage: the manifest promises robust Terraform, CloudFormation, and Pulumi auditing, but the implementation is predominantly Terraform/AWS regex scanning with only shallow file-type detection for the other formats. In a security tool, this can create dangerous false confidence, causing users or CI pipelines to approve insecure infrastructure under the mistaken belief that comprehensive checks were performed.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation claims IC011 detects wildcard trust policies and overly broad Lambda execution roles, but the code only looks for a few managed policy names and does not implement the promised trust-policy analysis. This discrepancy can mislead users into believing a high-risk IAM misconfiguration is being checked when it is not, weakening security review and CI gating.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal