ClawHub

Skill Creator Anthropic

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate skill-building tool, but it needs Review because some helper scripts have broad local effects and send skill/evaluation content through Claude CLI.

Install only if you are comfortable with a skill that runs local Python helpers, nested Claude CLI evaluations, and review servers. Avoid secrets or proprietary data in skill drafts, eval prompts, and benchmark outputs; prefer the static viewer when possible; do not run the viewer on a port used by another service; and review paths before letting it read or write comparison/evaluation artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read and write files, execute shell commands, launch Python scripts, and use environment-dependent tooling, but the frontmatter declares no compatibility or permission constraints. This creates an authority mismatch: users or orchestrators may invoke the skill without understanding that it performs code execution and filesystem operations, increasing the chance of unsafe use or abuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The tool unconditionally finds and sends SIGTERM to any process listening on the requested port before starting its own server. That exceeds the stated purpose of generating and serving a review page and can disrupt unrelated local services, developer tools, or security-sensitive processes if the chosen port overlaps with something important.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The page pulls executable JavaScript and other assets from third-party domains, including SheetJS from a CDN and Google Fonts. Even with SRI on the script, this expands the trust boundary and creates a supply-chain/privacy risk for a local review tool that may display sensitive evaluation data; if the remote dependency or network path is compromised, the viewer could execute attacker-controlled code or leak metadata.

Vague Triggers

High
Confidence
98% confidence
Finding
The skill explicitly tells authors to make descriptions 'pushy' and to trigger even when users do not explicitly ask for the skill. That guidance encourages overbroad activation and skill collisions, which can cause this high-authority skill to run in unrelated contexts and perform file, shell, and benchmarking actions the user did not intend.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The file combines two materially different operating modes—post-hoc comparison analysis and benchmark-result analysis—without an explicit activation mechanism or hard separation. In an agent setting, this ambiguity can cause the model to mix tasks, read the wrong inputs, emit the wrong schema, or violate user expectations, which can corrupt evaluation artifacts and produce misleading analysis outcomes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to read output paths that may be files or directories and to write a JSON result to a specified path, but it does not constrain those paths to a sandbox or approved workspace. If an attacker can influence the provided paths, the agent could be induced to inspect unrelated local files/directories or overwrite files when saving results, creating a filesystem read/write primitive beyond the user's likely intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The XLSX renderer converts workbook content to HTML and injects it with innerHTML. Spreadsheet content is attacker-controlled input in this context, so if SheetJS-generated HTML includes dangerous markup, links, or active content, the page could render untrusted HTML and potentially enable XSS or UI spoofing against the reviewer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends skill content, eval results, prior history, and possibly user-derived queries to an external claude subprocess without any warning, consent gate, or data-minimization at the call site. In a skill-creation context, these inputs may contain proprietary prompts, internal test cases, or sensitive user text, so silent exfiltration to an external model boundary is a real privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal