ClawHub

SeeWeb Uptime

Security checks across malware telemetry and agentic risk

Overview

This Watch.dog skill appears intended for monitoring management, but it combines credential persistence and destructive account actions with weak user-consent boundaries.

Review this skill before installing. Only use it if you are comfortable storing a Watch.dog API key locally, having the agent contact Watch.dog with that key, and granting it authority to modify or delete monitors. Prefer a restricted API key if Watch.dog supports one, and confirm any destructive action manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill exposes state-changing and destructive operations such as delete_monitor, delete_watchdog, pause/resume, and update_tracker_page, while the manifest description emphasizes monitoring and status-checking. Even though deletion tools mention confirmation in descriptions, there is no hard technical enforcement in code, so an agent or prompt-injection could invoke them and modify or destroy user resources.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The embedded prompt instructs the agent to automatically create or overwrite a local .env file with user credentials, but the skill itself provides no explicit, auditable tool for that operation. This creates a dangerous mismatch where a host agent with broader native file-write abilities could be induced to persist secrets locally without a clear consent boundary or safety controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs an automatic silent connection test immediately after credentials are provided, but it does not clearly warn the user that their newly supplied API key will be used to contact a third-party service. Silent transmission of secrets or account-derived data undermines user awareness and may violate expectations around when external access occurs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends the user's API key in an Authorization header to a remote endpoint and forwards account-related tool arguments, but there is no explicit in-skill disclosure to the user when this transmission occurs. In a credential-handling skill, lack of clear disclosure weakens informed consent and increases the chance users unknowingly expose secrets to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt directs the agent to create or overwrite the local .env file with API credentials without warning the user that local credential storage will be modified. Silent persistence of secrets to disk can surprise users, violate least astonishment, and leave credentials exposed through filesystem access, backups, or accidental commits.

Ssd 3

Medium
Confidence
92% confidence
Finding
Automatically exercising newly entered credentials causes immediate secret use and account access without a separate user action requesting that access. Even if the call is only a list operation, it still validates and transmits sensitive credentials to a remote endpoint, which increases the risk of accidental disclosure or unintended account interaction.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal