ClawHub

Alerting & Notification System

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real alerting skill, but it needs Review because it can modify other skills, create a privileged recurring cron job, and run shell commands built from alert data or URLs.

Install only after review. Do not run the cron or integrate commands unless you intentionally want system-level recurring monitoring and files written into other skills. Replace example endpoints and recipients with approved values, avoid email alerts for sensitive data until payload redaction is added, and prefer safer implementations that use native HTTP/email APIs or argument-array subprocess calls instead of shell-built commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises operational capabilities that imply environment access, shell execution, and network activity, but it declares no permissions or trust boundaries. In an agent ecosystem, this prevents informed consent and can enable unexpectedly broad access to local systems and external services, especially when the examples include file/log monitoring and active HTTP checks.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a generic alerting system, but the described behavior includes persistence mechanisms, privileged filesystem changes, modification of other skills, and hardcoded monitoring of external Tiklick services. That mismatch is dangerous because users may approve a benign-seeming alerting skill while it gains persistence, alters unrelated components, and performs privileged or off-host actions not clearly disclosed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script writes new executable integration code directly into another skill's directory, creating cross-skill side effects and expanding the trusted codebase without isolation or consent. This is dangerous because it can silently alter behavior of a separate component and creates a persistence/modification mechanism that could be abused for lateral movement inside the skills workspace.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This integration function generates executable code inside the security-tools skill, which is especially sensitive because it affects a security-relevant component. Cross-writing into a security skill increases blast radius: if the generated code is flawed or later manipulated, it can compromise security workflows or provide a stealthy path to execute alerting-controlled commands.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script installs a system-wide cron job under /etc/cron.d, creating recurring execution and persistence at the host level. This is dangerous because it turns a skill setup script into a privileged persistence mechanism and repeatedly executes monitoring logic against external endpoints without strong user acknowledgement or hardening.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill imports and uses child_process.exec to build shell commands from alert data, environment variables, and monitoring inputs. This introduces command-injection risk and grants the skill subprocess capability that can execute arbitrary shell syntax if any interpolated field is attacker-controlled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes Telegram, email, webhooks, and dashboard notifications but does not clearly warn that alert contents may include operational data, logs, host details, or monitored values sent off-host. This creates a realistic risk of unintentional data exfiltration because users may enable channels without understanding that sensitive alert payloads could leave the environment.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples show access to authentication logs, application logs, sales CSVs, and backup artifacts, all of which may contain credentials, personal data, financial information, or sensitive operational details. Without an explicit warning or scope restriction, the skill normalizes reading sensitive local data and potentially forwarding derived alert details to external channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs privileged file creation and cron modification with sudo but does not present a clear warning or consent flow before making persistent system changes. Hidden privileged side effects are risky because users may invoke a seemingly routine integration command that alters system scheduling and filesystem state beyond the skill's own directory.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The email path sends full alert titles, messages, and metadata to an external recipient without any explicit consent, warning, or data-classification controls. In an alerting system, alerts may contain secrets, internal URLs, stack traces, or customer data, so silent exfiltration to external email creates meaningful confidentiality risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The monitoring function performs outbound requests to arbitrary URLs and does so via a shell-constructed curl command. This can leak network metadata, probe internal services if URLs are attacker-influenced, and creates SSRF-like risk in environments with privileged network access.

External Transmission

Medium
Category
Data Exfiltration
Content
# Monitorear APIs Tiklick (ejemplos - ajustar URLs reales)
APIS=(
    "https://api.tiklick.com/health"
    "https://admin.tiklick.com"
    "https://app.tiklick.com"
)
Confidence
88% confidence
Finding
https://api.tiklick.com/

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Directorio de logs
    if [ ! -d "$LOG_DIR" ]; then
        log_info "Creando directorio de logs: $LOG_DIR"
        sudo mkdir -p "$LOG_DIR"
        sudo chown rhandus:rhandus "$LOG_DIR"
    fi
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if [ ! -d "$LOG_DIR" ]; then
        log_info "Creando directorio de logs: $LOG_DIR"
        sudo mkdir -p "$LOG_DIR"
        sudo chown rhandus:rhandus "$LOG_DIR"
    fi
    
    log_success "Dependencias verificadas"
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
chmod +x "$script_path"
    
    # Configurar cron job (cada 15 minutos)
    echo "*/15 * * * * rhandus $script_path" | sudo tee "$cron_file" > /dev/null
    
    log_success "Cron job configurado: cada 15 minutos"
    log_info "Script: $script_path"
Confidence
96% confidence
Finding
sudo

Chaining Abuse

High
Category
Tool Misuse
Content
chmod +x "$script_path"
    
    # Configurar cron job (cada 15 minutos)
    echo "*/15 * * * * rhandus $script_path" | sudo tee "$cron_file" > /dev/null
    
    log_success "Cron job configurado: cada 15 minutos"
    log_info "Script: $script_path"
Confidence
95% confidence
Finding
| sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal