ClawHub

Catalog

Security checks across malware telemetry and agentic risk

Overview

This skill runs a small local script to return a fixed service price list, with no evidence of hidden data access, network use, persistence, or destructive behavior.

Install this only if you are comfortable with a skill invoking a local Node.js command when answering catalog questions. The reviewed version is narrow and hardcoded, but a static data file would be simpler and lower risk for this use case.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The skill is presented as a simple catalog/hello-world capability, but its documented behavior requires local command execution on the host. That mismatch is security-relevant because it hides privileged behavior behind an innocuous description, reducing user scrutiny and increasing the chance that command execution is triggered without informed consent.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Using a host command to retrieve simple catalog data is an unnecessary expansion of attack surface for a low-complexity task. Even if the current command is fixed, enabling Exec Tool for basic content retrieval creates a pathway for abuse, misconfiguration, or future command injection-style issues in a context that does not need it.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown instructs the agent to run a local command but provides no warning that the skill will execute code on the host system. This lack of disclosure is dangerous because users and administrators may treat the skill as harmless informational content while it actually invokes local execution capabilities.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal