ClawHub

Open Cve Scanner

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real CVE scanner, but it has under-disclosed third-party AI lookups, broad external dependency queries, and local persistence that users should review before installing.

Install only if you are comfortable with dependency names, versions, and possibly uploaded manifest contents being queried against multiple public services. Disable or remove the GLM/Z.ai LLM detector unless you explicitly want that data sent to an AI provider, and review cache/output locations under ~/.openclaw and /tmp if using this in a shared or enterprise environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script claims to scan user-specified packages, but it actually scans a hard-coded internal list. In an agent skill, this is a trust-boundary violation because the behavior materially differs from the manifest and can trigger unintended external lookups, misleading reports, or unauthorized analysis targets.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The script accesses NVD and GitHub credentials from environment variables even though this capability is not disclosed in the skill description. While reading env vars is common for API clients, undisclosed credential access in an agent context expands the skill's effective privileges and reduces transparency for users and operators.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The script writes detailed scan output to a fixed path in /tmp without user selection or manifest disclosure. In shared or multi-tenant environments, predictable local files can leak scan contents, be overwritten, or create unintended persistence beyond the user's requested output channel.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code expands the skill's behavior beyond its stated purpose by loading LLM credentials and preparing to use an external GLM service, even though the skill is described as querying NVD, OSV.dev, and GitHub Advisory. In a vulnerability-scanning skill, adding an undeclared third-party AI dependency creates a data-flow and trust-boundary risk because package names and related metadata may be transmitted to a separate provider without clear user consent or necessity.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The function sends package metadata to a third-party LLM endpoint for classification, which is not one of the declared vulnerability data sources. Even if the data seems low sensitivity, dependency names and descriptions can reveal internal technology stacks, unreleased products, or private components, making this an unjustified external disclosure channel.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements a background-style bulk CVE synchronization system across GitHub, NVD, and OSV, which materially exceeds the skill's declared behavior of scanning user-supplied package names, versions, or dependency files on demand. In an agent context, this scope expansion can cause unauthorized network activity, increased data collection, and surprise operational behavior that users did not request or consent to.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The code creates a persistent cache directory under the user's home directory and stores synchronization state there without that behavior being described in the skill manifest. Undisclosed local persistence is risky in agent environments because it can leave residual data, surprise users, and create cross-run state that affects privacy, debugging, and trust boundaries.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
This code changes the semantics of version expressions by rewriting OR ('|') into a comma-delimited form that the rest of the parser treats as conjunctive constraints. In a CVE-scanning skill, incorrect range resolution can misclassify vulnerable or safe package versions, causing false negatives or false positives in security reports and undermining trust in remediation guidance.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger terms are broad generic words such as 'CVE', '취약점', 'vulnerability', and 'security audit', which can cause the skill to activate in contexts where the user did not intend to run it. Unintended invocation is especially risky here because the skill supports file-based scanning and outbound queries to third-party services, increasing the chance of unnecessary data exposure or disruptive behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description encourages users to upload dependency files for bulk analysis but does not clearly warn that package metadata may be transmitted to external sources such as NVD, OSV.dev, or GitHub Advisory. Even if source code is not uploaded, dependency manifests can reveal internal technologies, versions, private package names, and organizational software inventory, which may be sensitive.

Missing User Warnings

Low
Confidence
86% confidence
Finding
This code sends user-supplied package identifiers to third-party services such as PyPI, npm, Maven, Go proxy, crates.io, Packagist, RubyGems, and GitHub. While that is expected for a CVE/version lookup tool, it still creates a privacy and data-governance issue because dependency names can reveal internal technology choices or unreleased products without clear user-facing disclosure or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The external API call occurs without any user-facing warning or consent at the point where package information is transmitted. In a security-audit skill, silent exfiltration of dependency metadata undermines user expectations and can leak sensitive information about internal software composition.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends CVE, package, and version data to an external Brave Search helper without any disclosure, consent, or configuration guard. Even though these inputs are not highly secret in many cases, dependency names and versions can reveal internal technology stacks or vulnerable assets, creating unnecessary information exposure during verification workflows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script executes dynamically constructed shell commands using eval, which is dangerous because eval re-parses the string as shell syntax and can turn unexpected input into command execution. In this specific file the current call sites are hardcoded test commands, so immediate exploitability is limited, but the helper is generic and creates a command-injection footgun if reused with variable or external input in future tests or CI wrappers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal