ClawHub

archive-extractor

Security checks across malware telemetry and agentic risk

Overview

This archive-extraction skill is mostly coherent, but it can silently run pip to install Python packages despite claiming no network or system-executable use.

Review before installing. Use it only in an isolated environment or after removing auto-install behavior; preinstall any needed dependencies yourself, choose a dedicated extraction directory, and avoid running it on untrusted archives without disk and recursion limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Install *package* into the current interpreter's site-packages."""
    logger.info("Installing %s ...", package)
    try:
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--quiet", package],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.PIPE,
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--quiet", package], stdout=subprocess.DEVNULL, stderr=subprocess.PIPE, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation advertises and enables file read, file write, and shell-like behavior without declaring permissions, which weakens informed consent and policy enforcement around what the skill can do. In this specific context, the risk is amplified because archive extraction already touches the filesystem extensively, and the undocumented shell capability appears tied to invoking pip for dependency installation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill works with only Python and no local software, but the behavior includes runtime pip installation of optional packages, subprocess invocation, and likely network access to package repositories. This mismatch is dangerous because users may authorize a simple offline extraction tool while actually granting a component that can fetch and execute third-party code at runtime.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description claims there are 'no other network calls' and 'no local software' requirements, but the implementation can invoke `pip install`, which may contact package indexes and alters the runtime environment. That mismatch is security-relevant because it defeats operator expectations and can cause users to run code they would not have approved under an accurate description.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
An archive extractor does not need to spawn subprocesses in normal operation, so adding subprocess-based package installation is an unjustified capability expansion. In a skill intended to process potentially untrusted input, minimizing privileges is important; this behavior increases attack surface and makes a simple file-handling tool capable of executing package-management actions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The docstring explicitly says the tool does not call system executables, yet it runs `python -m pip` via `subprocess.check_call`. This is dangerous because deceptive or inaccurate security claims reduce informed consent and may cause deployment into restricted environments where subprocess execution is prohibited or closely controlled.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation omits a clear warning that extraction writes files and recursively unpacks nested archives, which can rapidly consume disk space and create large numbers of files. In an archive-extraction skill, this context makes the issue especially relevant because nested or adversarial archives can trigger unexpectedly large output and operational disruption.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code auto-installs optional packages on first use without obtaining explicit confirmation at the moment it performs the action. Silent dependency installation is risky because it can trigger unplanned network access, change interpreter state, and introduce third-party code into environments that may be handling untrusted archives or operating under strict change-control policies.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal