ClawHub

Skill Creator (Opencode)

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its skill-building purpose, but it has local side effects that users should review before installing.

Install only if you are comfortable with a skill that edits local skill files, runs Opencode, and creates evaluation workspaces. Before use, verify the Opencode executable path, avoid putting secrets or proprietary data in eval prompts or skill files, prefer the static viewer or an unused port, and stop the viewer after review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if model:
            cmd.extend(["--model", model])

        process = subprocess.Popen(
            cmd,
            stdout=subprocess.PIPE,
            stderr=subprocess.DEVNULL,
Confidence
87% confidence
Finding
process = subprocess.Popen( cmd, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, cwd=project_root, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to read and write files, run shell commands, launch processes, and manipulate local artifacts, but it does not declare permissions or boundaries for those capabilities. This creates a transparency and containment problem: a caller may invoke the skill expecting only content generation, while the skill is authorized in practice to modify the filesystem and execute commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared description frames the skill as creating and improving skills, but the body authorizes materially broader behavior including packaging archives, schema validation, serving a local review app, opening a browser, scanning workspaces, and killing processes on a port. That mismatch can mislead users and orchestration systems about what the skill will actually do, increasing the chance of unexpected local side effects or destructive actions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The program enumerates any process listening on the requested port and sends SIGTERM to it before starting its own server, without verifying ownership, origin, or user intent. This can disrupt unrelated local services and destroy work in progress, especially in shared dev machines or automated environments where important processes may be bound to that port.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This local review tool loads fonts from Google and SheetJS from an external CDN at runtime, which creates a supply-chain and privacy risk. If the CDN resource is compromised, changed, blocked, or swapped despite SRI only covering the script, the page could execute attacker-controlled code or leak reviewer metadata; for a tool used to inspect potentially sensitive eval outputs, that is an avoidable trust boundary.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The guidance encourages intentionally 'pushy' trigger descriptions that broaden activation criteria and overlap with common user language. Overbroad triggering increases the chance this powerful skill is invoked in contexts where extensive file, shell, evaluation, or packaging actions are unnecessary, leading to unnecessary exposure and side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool silently kills processes on the selected port with no prominent warning before doing so, which makes destructive behavior surprising and harder for users to prevent. While this is primarily a safety and reliability issue, it materially increases the chance of accidental denial of service against local developer tooling or other applications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The spreadsheet renderer takes workbook content and assigns SheetJS-generated HTML directly via innerHTML. Because eval outputs are untrusted and spreadsheets can contain attacker-controlled cell values, formulas, hyperlinks, or markup-like content, this can create a client-side injection/XSS path in the review UI if the generated HTML is not strictly sanitized.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script constructs a prompt containing skill content, eval results, history, and possibly user-derived query text, then sends it to an external CLI without any explicit consent gate, warning, or data-minimization at the transmission point. In a skill-creation context, those inputs may contain proprietary prompts, internal test data, or sensitive user queries, so silent forwarding increases the risk of unintended data disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
4. **Launch the viewer** with both qualitative outputs and quantitative data:
   ```bash
   nohup python <skill-creator-path>/eval-viewer/generate_review.py \
     <workspace>/iteration-N \
     --skill-name "my-skill" \
     --benchmark <workspace>/iteration-N/benchmark.json \
Confidence
90% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal