ClawHub

Optimistic Offline Lock Implementer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a documentation-only concurrency/versioning skill with some risky technical guidance, but no evidence of hidden execution, data access, persistence, or malicious behavior.

Install only if you want concurrency and versioning guidance, and review its examples before applying them. In particular, do not copy the read-consistency or EF Core versioning snippets into production without framework-specific tests and a real persisted-version validation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true vulnerability in the skill guidance because the sample inconsistent-read check tells implementers to increment in-memory versions rather than verify current persisted versions at commit time. If copied into a real Unit of Work, it can create a false sense of protection while failing to detect concurrent changes to read-only dependencies, allowing stale decisions and integrity bugs.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documented `checkConsistentReads()` implementation mutates versions for objects that were only read, despite being presented as protection for read-only dependencies. In practice this can cause unintended writes, spurious optimistic-lock conflicts, and denial-of-service-style contention or data integrity issues when readers unnecessarily advance versions and interfere with legitimate concurrent updates.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill metadata explicitly requires an integer version column and calls timestamp versioning an anti-pattern, but the reference presents EF Core rowversion/timestamp as a normal supported option. That inconsistency can cause implementers to choose a concurrency mechanism the skill is supposed to forbid, leading to drift from the prescribed design, weaker guarantees around version semantics, and incorrect end-to-end implementations across clients and services.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal