ClawHub

Maxun

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Maxun integration, but it asks for broad no-confirmation shell access and has under-disclosed state-changing and local execution risks.

Review before installing. Use it only if you trust the publisher and need Maxun robot control. Keep command confirmations enabled, avoid global full-shell permissions, set the API key through a trusted environment, do not run it from directories with untrusted `.env` files, and treat `abort` as a sensitive action that should be explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes a shell-capable `exec` tool but does not declare permissions or clearly communicate that command execution is part of its security model. This creates a transparency and review gap: operators may enable a skill believing it is data-access only, while it can actually execute commands in the host environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose says the skill lists/runs robots and gets results, but the implementation also supports fetching robot metadata, historical runs, and aborting runs. This behavior mismatch increases the chance that users or reviewers authorize the skill without understanding its broader operational control over Maxun resources.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The manifest description omits the ability to abort robot runs, which is a write/control action rather than simple retrieval. Even if the capability is legitimate, hiding it in documentation reduces informed consent and can lead to misuse or unexpected disruption of active jobs.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes `maxun abort <robotId> <runId>`, which can terminate in-progress automation and affect availability or business workflows. Because the stated purpose focuses on listing/running/scraping/results, this control action is insufficiently justified and expands the blast radius beyond user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions push the model to execute shell commands directly and to display outputs without interpretation, while providing no warning to users that command execution is occurring. This weakens human oversight and can normalize silent execution of external operations tied to a privileged API key.

Missing User Warnings

High
Confidence
98% confidence
Finding
The setup instructs users to configure `exec` with `security: full` and `ask: off`, disabling confirmation prompts for shell execution. This meaningfully increases risk because any future misrouting, prompt injection, or skill misuse can result in unreviewed command execution against the local environment and Maxun account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The abort command performs a state-changing API action immediately, without confirmation, dry-run support, or any guardrails. In an agent context, this can cause accidental disruption of legitimate scraping jobs if the tool is invoked with the wrong run ID or from ambiguous user intent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal