ClawHub

AES EMR YARN Analyzer

Security checks across malware telemetry and agentic risk

Overview

This is a plausible YARN/EMR analysis skill, but it ships real-looking cloud and root SSH credentials and would run remote collection as packaged.

Do not run this skill as packaged. Replace and rotate any exposed credentials, remove the bundled root password and AccessKey values, use a read-only least-privilege account, verify the SSH host key, and restrict permissions on config, cookie, and log files before considering use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents capabilities to read/write local files, store cookies and logs, and access remote systems over SSH/API, yet no explicit permissions are declared. That creates a governance gap: users and hosting platforms cannot accurately understand or constrain the skill's real access, increasing the chance of over-privileged execution and silent exposure of sensitive data such as credentials, cluster metadata, and cookies.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose materially differs from the observed behavior: the skill appears to store cookies locally, collect broader system and HDFS information than advertised, use SSH credentials for remote access, and lacks the deep YARN trend analysis it claims. This mismatch is dangerous because it can mislead operators into approving a diagnostic skill that actually performs broader data collection and credential-based remote access than expected.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script persists cookie data to a local file with a 24-hour lifetime even though cookie handling is not necessary for the stated YARN/EMR resource-analysis function. Storing authentication material on disk expands the attack surface through local disclosure, reuse, or accidental leakage via backups, logs, or shared workspaces.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The SSH collection includes broad host-level and HDFS administrative commands such as free, lscpu, uptime, and hdfs dfsadmin -report, which go beyond narrowly scoped YARN load analysis. This unnecessarily increases privileged visibility into the cluster and can expose unrelated infrastructure details if the script is run with elevated access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains hardcoded defaults for an SSH host, root username, and password, enabling remote access even when the operator has not intentionally provided credentials. In a security-sensitive skill, embedding working administrative access materially increases the risk of unauthorized cluster access, credential leakage, and reuse across environments.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code uses hardcoded SSH credentials to perform remote command execution without any explicit disclosure or consent flow. This creates a hidden administrative capability inside a diagnostic skill and makes credential compromise or unintended access far more likely.

Missing User Warnings

High
Confidence
93% confidence
Finding
The script sends cloud access credentials derived from access_key_id and access_key_secret in an Authorization header during outbound API calls, but this sensitive transmission is not clearly disclosed to the user. Even over HTTPS, placing long-lived cloud secrets directly into application requests increases the blast radius of logging, interception by intermediaries, and misuse if the endpoint or implementation is incorrect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal