ClawHub

Harbor Skills

Security checks across malware telemetry and agentic risk

Overview

This is a real Harbor administration skill, but it includes powerful production-impacting examples with weak guardrails and some unsafe credential patterns.

Install only if you intend to let the agent assist with Harbor administration. Use least-privilege robot accounts with expirations, avoid admin passwords and inline secrets, review every delete, GC, replication, restore, webhook, and GitOps action before running it, and treat scan reports, audit logs, backups, and webhook payloads as sensitive production data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares `auth-method: env` and includes multiple network-capable `curl`/`requests` examples, but it does not declare explicit permissions for environment access and outbound network use. This creates a governance gap: a user-invocable skill can handle secrets and make authenticated remote changes without transparent least-privilege controls or clear platform enforcement.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The document includes hardcoded Harbor admin credentials in example curl commands, which can normalize insecure operator behavior and lead to credential reuse or accidental exposure in shell history, logs, screenshots, or copied scripts. In a Harbor administration skill, this is especially dangerous because the examples target a privileged API account and may be used verbatim in production-like environments.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documented function presents itself as a dry-run evaluator, but the `dry_run` parameter is never used to alter behavior. In an operations skill focused on Harbor image cleanup, this mismatch can mislead maintainers into believing deletion candidates are being safely simulated, increasing the risk that the same logic is reused in real cleanup workflows and causes unintended image removal.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The deploy example claims Argo CD will automatically detect and deploy new images, but the pipeline actually performs a direct imperative change with `kubectl set image` against the live cluster. This bypasses GitOps as the source of truth, can cause drift from the Git repository, and may let CI credentials mutate production outside the normal review and reconciliation flow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is very broad, covering nearly any mention of Harbor, registries, Docker images, CI/CD, GitOps, or webhooks. For a user-invocable skill that contains destructive admin operations, broad activation increases the chance of accidental invocation in casual discussions, causing unintended credential use or operational changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes direct and batch image deletion commands without strong warnings, prerequisite checks, dry-run defaults, or mandatory user confirmation. In a registry-management skill, these commands can permanently remove tags or artifacts and disrupt deployments, rollbacks, and supply-chain recovery if triggered carelessly.

Missing User Warnings

High
Confidence
98% confidence
Finding
The recovery section contains service shutdown and restoration steps (`docker-compose down`, restore, restart) but does not prominently warn about business interruption, rollback failure, or data consistency risks. In the Harbor admin context, following these instructions on a production environment can cause immediate outage, image pull/push failures, and prolonged recovery if backup integrity is not validated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill shows commands to export audit logs and scan reports, which may contain usernames, repository names, vulnerability data, and operational metadata, but omits privacy and handling guidance. This can lead to unintentional exposure of sensitive security and user activity data when exported to terminals, files, or shared systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recovery section instructs operators to stop Harbor, import a database dump, and extract configuration over existing paths without an explicit warning that these actions cause downtime and can overwrite live data. In operational docs for infrastructure software, omission of such warnings materially increases the chance of accidental destructive execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The replication rule example sets `deletion: true` and `override: true`, which can propagate deletions and overwrite artifacts in the destination registry. In a Harbor administration skill, this is especially risky because users may copy the example directly into production and unintentionally cause destructive synchronization or data loss across registries.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The authentication section includes plaintext example credentials and token material patterns such as username:password and TOKEN_SECRET with no warning about secret handling, shell history, logging, or credential rotation. In an ops-oriented Harbor skill, users may copy these commands directly into terminals, CI logs, or documentation, increasing the chance of credential leakage and unauthorized registry access.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documentation includes example webhook URLs and auth headers but does not warn that Harbor webhook payloads can contain sensitive operational metadata such as project names, repository paths, operators, and vulnerability scan results. In a Harbor administration skill, users may copy these examples directly into production integrations, increasing the chance that tokens or payload data are exposed in logs, screenshots, or insecure downstream systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The chat/notification forwarding example sends repository names and vulnerability severity data to external messaging platforms without any caution about data disclosure. This can leak internal inventory, project structure, replication policy names, and security posture to third-party services or broad chat audiences, which is especially sensitive in a Harbor ops context because scan results and image metadata are security-relevant.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The rotate operation deletes an existing robot account before creating a replacement, and it does so without any confirmation, dry-run, or rollback protection. In an operational environment, a mistaken invocation, typo, or partial failure during recreation can immediately revoke CI/CD access and cause service disruption or credential loss.

External Transmission

Medium
Category
Data Exfiltration
Content
| jq '{scan: .scan_summary}'

# 导出详细扫描报告(CSV格式)
curl -s -H "Authorization: $HARBOR_TOKEN" \
  "$HARBOR_URL/api/v2.0/projects/my-app/repositories/my-app--api/artifacts/v1.2.3/scan_report?accept=text/csv"
```
Confidence
76% confidence
Finding
curl -s -H "Authorization: $HARBOR_TOKEN" \ "$HARBOR_URL/api/v2.0/projects/my-app/repositories/my-app--api/artifacts/v1.2.3/scan_report?accept=text/csv" ``` ### 自动扫描策略 ```bash # 设置自动化扫描:镜像推送后自动触发扫

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal