ClawHub

Residue Classifier

Security checks across malware telemetry and agentic risk

Overview

This is a local workspace file classifier with disclosed report output and a disclosed Stripe upgrade link, but users should treat its generated safety flag carefully.

Run it only from a workspace you intend to inventory. Review `residue-classifier-report.json` before sharing or committing it, treat the Stripe link as optional marketing, and do not let automation rely on the `safe` field alone.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill appears to use file read and file write capabilities despite not declaring any permissions, which breaks transparency and can undermine user consent and policy enforcement. In a skill that classifies workspace residue, reading files may be expected, but undeclared write behavior is more concerning because it can create artifacts or alter the environment without explicit authorization.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description says the skill classifies residue and provides guidance, but the detected behavior expands to recursive workspace enumeration, optional local rule loading, disk writes, and a commercial upsell link. This mismatch is dangerous because users may invoke the skill expecting narrow analysis while it accesses broader workspace contents and introduces non-essential monetization behavior that is not part of the stated security-relevant function.

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The README makes strong safety claims such as 'local report generation only' and 'non-destructive', yet it also includes an external Stripe payment link and describes fulfillment by direct email attachment. This creates a trust and transparency issue: users may be misled about the skill's operational boundaries and could be induced to follow off-platform links or receive unverified artifacts outside the repository's review path.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill embeds a hardcoded external commercial escalation link and conditionally directs users to it when the workspace is deemed 'critical'. In a security-sensitive workspace analysis tool, this creates a trust-boundary issue: users may be nudged toward an external service based on local file inspection results, which can facilitate unintended data disclosure or social-engineering-style upsell behavior.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The report unconditionally sets 'safe': True even when status is 'critical' and the code states the anomaly 'cannot safely resolve'. This misrepresents the security posture of the run and can cause downstream agents or users to treat a risky workspace state as approved, suppressing needed review or containment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal