ClawHub

Opcode

Security checks across malware telemetry and agentic risk

Overview

Opcode is a legitimate workflow automation skill, but it installs a persistent daemon with broad shell, filesystem, network, scheduling, and secret-handling authority that requires careful review before use.

Install only if you intentionally want a powerful local automation daemon. Pin and review the upstream Go package, bind the SSE endpoint to localhost or protect it with authentication and network controls, run it as a low-privilege OS user, configure filesystem and network restrictions, avoid command-line vault keys, and audit scheduled workflows and stored history regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation states first-time setup downloads an external binary into the user's data directory while the product also manages a secret vault. That combination expands trust to third-party code during installation and increases supply-chain risk, especially if users assume vault-related setup is self-contained and security-sensitive.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documented self-update command reaches out to GitHub and may fall back to go install, which introduces remote code retrieval and execution capabilities beyond core workflow orchestration. This is a meaningful supply-chain and trust-boundary expansion, particularly for an agent runtime that may be deployed persistently.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The runtime explicitly supports shell execution, which is a powerful code-execution capability. In the context of an agent workflow engine with templating, scheduling, and persistence, shell access materially raises the risk of host compromise, lateral movement, and abuse if workflows or inputs are attacker-controlled.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation says HTTP access is permitted and that defaults are permissive with no network restrictions. For a long-running workflow engine, unrestricted outbound network access enables data exfiltration, SSRF-style abuse against internal services, and command-and-control behavior if workflows are influenced by untrusted input.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This documentation explicitly advertises unrestricted multi-language script execution through shell.exec, including Bash, Python, Node, and Go, with arbitrary stdin/stdout chaining. In an agent skill, that materially expands capability from workflow orchestration into general code execution, which can enable host compromise, data exfiltration, destructive commands, or persistence if an agent or user supplies unsafe scripts or parameters.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly documents powerful actions such as `fs.delete`, `fs.move`, `fs.write`, and `shell.exec` but does not provide a clear safety warning, permission model summary, or usage constraints for potentially destructive operations. In an agent skill context, this increases the likelihood that an LLM-driven agent will invoke file deletion or arbitrary command execution on the host system without adequate user confirmation, leading to data loss or system compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation presents `${{secrets.*}}` interpolation alongside HTTP actions without prominently warning that secrets may be transmitted to external services or logged through workflow steps. Because this skill is designed for persistent, automated workflows, accidental inclusion of secrets in requests, outputs, or event history can cause durable credential exposure and downstream account compromise.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The self-update behavior is documented functionally but lacks an explicit warning that it downloads and installs code. Even if intended for maintenance, omitting that warning can lead operators to invoke update in sensitive environments without appreciating the code-execution and supply-chain implications.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation recommends --allow-http/--insecure for non-HTTPS endpoints without clearly warning that transport is plaintext and susceptible to interception or tampering. Because this service exposes MCP JSON-RPC over SSE and may handle workflow definitions, secrets-adjacent operations, or control actions, insecure transport is materially risky.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples repeatedly combine network access, shell execution, workflow chaining, and file writes without any safety notice about host impact, data exposure, or trust boundaries. For an agent-facing skill, omission of such warnings increases the chance that users deploy dangerous patterns directly, especially when interpolated inputs can flow into commands, files, or outbound requests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal