ClawHub

rural-cloud-platform

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it automates access to sensitive villager records while its authorization, external code, and local data handling are not clearly bounded.

Install only if you have explicit authorization to access the rural cloud platform records and have audited the external repository and scripts it asks you to run. Before use, require clear limits on who may query records, disable or tightly control caching/logging/screenshots/exports, and verify secure cleanup or retention rules for any temporary files and session data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation makes a conflicting security claim: it says sensitive personal information is not saved, yet elsewhere it explicitly describes temporary storage, caching of query results, and data export for villager records. For a skill handling highly sensitive identifiers such as phone numbers and ID numbers, this mismatch can mislead operators into unsafe deployment and retention practices, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed to query and extract villager information using phone numbers, names, and national ID numbers, but the introductory description does not warn users that it processes highly sensitive personal data. Without a prominent privacy and authorization warning, users may run the skill in inappropriate environments or on unauthorized subjects, leading to misuse or data protection violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes data export and elsewhere mentions temporary storage/caching, but it does not clearly warn that query results may persist locally on disk or in cache. When the data includes personal records, silent persistence materially increases the risk of unauthorized disclosure through leftover files, shared workstations, backups, or insecure temp directories.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal