ClawHub
Back to skill

Security audit

CFGPU API Skill

Security checks across malware telemetry and agentic risk

Overview

This CFGPU cloud-management skill is mostly purpose-aligned, but it needs review because it can persist cloud API tokens locally and run high-impact instance actions with weak safeguards.

Install only if you trust this skill with the CFGPU account access granted by the token. Prefer a limited or short-lived token, avoid running setup-env.sh unless you accept plaintext local token persistence, remove any CFGPU_API_TOKEN line it adds to shell startup files if unnecessary, and manually verify instance IDs, costs, and backups before release or change-image operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises shell-based usage and helper scripts but does not declare corresponding permissions. This creates a transparency and consent problem because an agent or user may invoke local shell capabilities without an explicit permission boundary, increasing the chance of unintended system changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is GPU cloud management, but the described/linked behaviors extend into local package installation, shell profile modification, token persistence, environment inspection, and repository packaging. That mismatch is dangerous because users may authorize a cloud-management skill without realizing it can alter their workstation state and persist secrets locally.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script explicitly claims to sanitize sensitive information before publishing, but the `sed` replacements are identity substitutions and therefore do not redact anything. This creates a real risk of accidental secret disclosure because operators may trust the script's safety claims and publish copied content containing live credentials, identifiers, or personal data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The generated verification script is logically inverted for token placeholders: it flags the placeholder string `YOUR_API_TOKEN` as if it were a hardcoded secret. That makes the verification step unreliable, encouraging users to bypass it or ignore failures, which undermines the only safety check before publication.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The activation phrases are broad enough to match common requests such as general AI training setup or cost-effective GPU cloud usage. Overbroad triggers can cause the skill to activate in contexts where the user did not intend CFGPU-specific actions, increasing the risk of accidental external API calls or resource-creating operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes create/stop/release operations as simple management tasks without prominent warnings that they may incur charges, interrupt workloads, or permanently destroy resources. In a cloud infrastructure context, missing warnings materially increases the likelihood of user harm through accidental spend or data loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The release command performs a destructive cloud resource deletion without any explicit warning, confirmation prompt, or safeguard. In an automation/helper script for managing paid GPU instances, an accidental invocation can irreversibly terminate resources and cause data loss or service disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists a sensitive API token into shell startup files in plaintext, which increases the chance of accidental disclosure through dotfile syncing, backups, shell history inspection, or later echo/debug behavior. Although intended as convenience, exporting long-lived credentials from ~/.bashrc or ~/.zshrc makes the secret broadly available to all future shell sessions and child processes.

Session Persistence

Medium
Category
Rogue Agent
Content
fi
fi

# Create config directory
mkdir -p ~/.cfgpu

# Ask for API token
Confidence
89% confidence
Finding
Create config directory mkdir -p ~/.cfgpu # Ask for API token echo "Please enter your CFGPU API Token:" echo "(You can get it from https://cfgpu.com)" read -p "API Token: " api_token if [ -n "$api_t

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal