ClawHub

Skills Browser

Security checks across malware telemetry and agentic risk

Overview

This is a real local skills browser, but it exposes local skill contents too broadly and can forcibly stop an unrelated local service.

Review before installing. Use only in a trusted local environment, and preferably change it first to bind to 127.0.0.1, remove wildcard CORS, validate requested skill IDs, avoid killing arbitrary processes on port 8765, and provide a clear stop command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill appears to require file reads, network serving, and shell/process control, but none of these capabilities are declared in the skill metadata. That creates a transparency and review gap: operators may approve a seemingly simple local browser tool without realizing it reads sibling skill files, exposes HTTP endpoints, and invokes shell commands. In this context, the mismatch increases risk because the tool operates over local disk content and local processes, which can affect confidentiality and system stability.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a genuine security-relevant behavior mismatch: the skill is presented as a local viewer, but it also kills whatever is bound to port 8765, auto-launches a browser, scans parent/sibling directories for SKILL.md files, and exposes local HTTP API endpoints with wildcard CORS. Those behaviors expand the trust boundary beyond simple viewing and can leak local metadata to any website running in the user's browser, while also disrupting unrelated local services on the same port.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The API sets `Access-Control-Allow-Origin: *` on endpoints that return local skill metadata and SKILL.md contents. In a browser context, any website the user visits can make cross-origin requests to this local service and read the responses, which turns the local browser tool into a cross-site data exfiltration source.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The server listens on `0.0.0.0`, making the local skill browser reachable from other hosts on the same network instead of only from the local machine. Because the service exposes skill metadata and file contents without authentication, network-adjacent attackers can directly query the API, and this risk compounds with the permissive CORS configuration.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script unconditionally identifies any process listening on port 8765 and forcefully terminates it with kill -9 before starting its own server. This is dangerous because it can disrupt unrelated local services, cause data loss or corruption by preventing graceful shutdown, and lets the skill interfere with other software outside its own scope.

Missing User Warnings

High
Confidence
99% confidence
Finding
Force-killing any process on port 8765 without warning or confirmation is an unsafe and overbroad action. In a local developer environment, that port may belong to unrelated tools or user workloads, and kill -9 prevents cleanup handlers from running, increasing the risk of service interruption and lost state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script starts a local Python server in the background without notifying the user, tracking the PID, or managing its lifecycle. While less severe than the forced kill, this can leave unexpected services running, create confusion about exposed local endpoints, and make cleanup or auditing harder.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal