ClawHub
Back to skill

Security audit

Smarter Content

Security checks across malware telemetry and agentic risk

Overview

This writing helper has a coherent purpose, but its scripts build shell commands from user-controlled article text and URLs, creating a real local command-execution risk.

Review before installing. Do not use this skill with untrusted article text, private drafts, or sensitive/internal URLs unless the shell execution is replaced with safe argument passing and the network/privacy behavior is clearly documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises behavior that uses network access (fetching reference URLs and likely using web search/fact-check services) but does not declare permissions or clearly disclose that external access occurs. Undeclared network capability reduces user awareness and platform policy enforcement, increasing the chance of unexpected outbound requests and data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose understates the skill's real behaviors: it fetches arbitrary remote content, exports files, and supports ClawHub-oriented output beyond the stated scope. This mismatch can mislead users and reviewers about data flows and side effects, which is especially risky when arbitrary URLs and file generation are involved.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code builds a shell command by interpolating generated content directly into a command string passed to execSync. Escaping only double quotes is insufficient because shell metacharacters such as backticks, dollar-sign substitutions, or platform-specific parsing can still alter execution, making this a command injection risk if untrusted content reaches factCheckContent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script interpolates a user-supplied URL directly into a command string passed to execSync, which invokes a shell. An attacker can supply crafted input containing quotes or shell metacharacters to achieve command injection and execute arbitrary commands on the host running the skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill says it will automatically fetch content from a user-provided URL but does not warn that this causes outbound network access or that reference content may be retrieved and processed. That omission can lead users to disclose sensitive internal URLs or unintentionally trigger access to untrusted sites, creating privacy and SSRF-like risk depending on the runtime environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill fetches arbitrary user-provided URLs and transmits that URL to an external retrieval mechanism without any disclosure, restriction, or safety checks. This can expose internal services or sensitive endpoints to server-side request forgery behavior and may also send private URLs or content to third-party infrastructure unexpectedly.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/content-generator.js:112