ClawHub
Back to skill

Security audit

Build With Public Writer

Security checks across malware telemetry and agentic risk

Overview

This writing helper is mostly disclosed, but its generated sharing server and Git helper can expose or commit more local data than users may expect.

Install only if you intend to use a local publishing helper and can review its shell script. Change the default `.env` password before running the server, bind the server to localhost or a trusted interface, add `.env` to `.gitignore`, review `git status` and `git diff` before `bwp commit`, and avoid exposing the generated server publicly without fixing its path handling and directory listing behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises content creation but its documented behavior clearly involves shell execution, file access, and local networking without any declared permissions boundary. That mismatch increases risk because users and reviewers are not given an accurate understanding of the skill's capabilities before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented functionality goes well beyond writing assistance into project scaffolding, credential file generation, HTTP service provisioning, markdown rendering, and git operations. This description-behavior gap is dangerous because it can cause users to invoke a skill expecting simple content creation while it also modifies the filesystem, creates services, and exposes content over a network endpoint.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
Appending an alias to ~/.bashrc creates a persistent shell modification outside the immediate task and affects future sessions. While not inherently malicious, it expands the skill's impact on the user's environment and can be abused or cause unexpected behavior if done without strong justification and explicit consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The init workflow provisions a .env file and a local web server with Basic Auth, which is materially more sensitive than generating content templates. This broadens the attack surface by introducing credential handling and a network-exposed service in a skill that users may perceive as a simple writing tool.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a content-creation helper, but its init flow silently provisions a web server, authentication config, and file-sharing capability. That scope expansion increases attack surface and can expose project files over HTTP if the user starts the server with weak default credentials, making this a real security-relevant behavior mismatch.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script creates a .env file containing authentication material without warning the user and seeds it with a predictable default password ('changeme'). This creates a realistic risk that users deploy or run the generated server with default credentials, enabling unauthorized access to served content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently generates a network service that serves local project files and uses credentials from .env, but does not explicitly warn that it is creating a component intended for HTTP exposure. Hidden creation of a file-serving server materially changes the trust model of the tool and can lead to accidental data exposure, especially when paired with weak defaults.

Credential Access

High
Category
Privilege Escalation
Content
**说明**:
- 创建完整的目录结构
- 生成 README.md 说明文档
- 自动生成 .env 配置文件(包含端口、认证信息)
- 自动生成 server.py Web 服务器(支持 Markdown 渲染和 Basic Auth)
- 只需执行一次,或在目录缺失时执行
Confidence
82% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
---

## .env 配置说明

`bwp link` 命令会读取 `/home/claw/codewithriver/.env` 文件中的配置:
Confidence
84% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.