ClawHub

SOTA Tracker (Claw)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate AI model tracker, but it should be reviewed because it can repeatedly rewrite agent instruction files and includes reduced-safety model recommendations without strong user controls.

Review before installing. Use it only if you want a SOTA model recommendation tool, keep the API local or behind a firewall, pin and audit dependencies, and do not enable cron/systemd updates to CLAUDE.md or agents.md until you have reviewed the exact file path, backup behavior, and how to disable it. Consider filtering or disabling uncensored-model recommendations unless that is an explicit user-approved requirement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script behavior is destructive in a way the docstring does not disclose: `main()` unconditionally deletes the existing SQLite database before recreating it. That mismatch can lead operators or automation to run it in production or against valuable local data, causing irreversible data loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends setting up a script to automatically update the user's ~/.claude/CLAUDE.md on a recurring schedule, but it does not clearly warn that this repeatedly modifies a user-owned configuration/context file. Because CLAUDE.md can materially affect agent behavior and may contain custom instructions, regular unattended edits can overwrite or drift existing content in ways the user did not explicitly review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides commands to automate recurring updates to agents.md without clearly warning that this may alter existing prompts, instructions, or manually maintained agent configuration. In agent ecosystems, silent or scheduled prompt-file modification is security-relevant because it can change future model behavior persistently and without fresh user review.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The example companion skill description is broad enough to auto-activate across many ordinary AI-model conversations, which can inject hidden behavioral constraints into unrelated sessions. In this context, the risk is increased because the skill mandates tool use and hard-coded model-selection behavior, so overly broad triggering can silently steer recommendations without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The embedded statement that the user 'prefers uncensored models' hard-codes a sensitive preference into the skill without runtime consent or verification. This can bias outputs toward reduced-safety model recommendations and misrepresent user intent, especially if the skill activates automatically in general AI-model discussions.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
This entry promotes an uncensored variant in model metadata without any indication of user opt-in, gating, policy constraints, or safety warnings. In a catalog consumed by agents or selection logic, that can normalize or silently route users toward less restricted models, increasing the chance of harmful or policy-violating outputs.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
This local model entry advertises an uncensored variant as an available option without any surrounding control language or consent mechanism. If this JSON feeds recommendation, UI, or automated tooling, users or downstream agents may be steered to unsafe models by default or without understanding the risk tradeoff.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
This entry goes beyond neutral documentation and explicitly markets 'uncensored' behavior as a strength and use case. That framing encourages selection of guardrail-free models for unrestricted interactions, which materially raises the likelihood of abuse-enabling, harmful, or noncompliant outputs in an agent ecosystem.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
Describing an uncensored model as providing capability 'without restrictions' is an affirmative endorsement of removed safety controls. In a model registry, this can bias automated or human selection toward less safe systems and undermine platform-level protections intended to prevent harmful generation.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
Advertising 'No refusals on complex topics' for an uncensored reasoning model directly signals that safety refusals have been stripped and frames that as desirable functionality. In the context of an agent skill that catalogs state-of-the-art models, this is especially dangerous because it can guide downstream systems toward models more likely to generate harmful, disallowed, or abuse-facilitating content.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The server instructions and recommendation logic explicitly support prioritizing 'uncensored' model variants as a user preference, which can steer downstream agents toward models with fewer safety controls. In a model-recommendation skill, this increases the chance of facilitating harmful or policy-violating outputs, especially because the feature is embedded in normal recommendation flows rather than tightly constrained administrative settings.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The get_best_in_class tool advertises categories such as 'Best uncensored' and 'no restrictions,' normalizing selection of less-restricted models as a desirable feature. Because this skill's purpose is to guide model choice, these labels directly encourage use of models that may bypass content safeguards, making misuse easier and more likely.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The code persists a hardware profile to disk and, when no profile name is supplied, uses the machine hostname as the profile identifier. Hostnames and hardware characteristics can be system-identifying metadata, so storing them without explicit user disclosure or consent creates a privacy issue, especially on shared systems or when the data directory may later be collected, synced, or exfiltrated.

Known Vulnerable Dependency: fastmcp — 8 advisory(ies): CVE-2025-69196 (FastMCP OAuth Proxy token reuse across MCP servers); GHSA-c2jp-c369-7pvx (FastMCP Auth Integration Allows for Confused Deputy Account Takeover); CVE-2025-64340 (FastMCP has a Command Injection vulnerability - Gemini CLI) +5 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
fastmcp

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
93% confidence
Finding
aiohttp

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
77% confidence
Finding
python-dotenv

Known Vulnerable Dependency: fastapi — 3 advisory(ies): CVE-2021-32677 (Cross-Site Request Forgery (CSRF) in FastAPI); CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on standard ); CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on standard )

High
Category
Supply Chain
Confidence
90% confidence
Finding
fastapi

Known Vulnerable Dependency: uvicorn — 4 advisory(ies): CVE-2020-7694 (Log injection in uvicorn); CVE-2020-7695 (HTTP response splitting in uvicorn); CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provided by the) +1 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
uvicorn

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal