ClawHub

Catch My Skill

Security checks across malware telemetry and agentic risk

Overview

This skill mostly checks skill versions, but its update path can run unsafe shell commands and install remote code into the local skills workspace without clear confirmation.

Review before installing. Avoid using `update` with untrusted or unusual skill names, verify the GitHub owner and ClawHub package source, and check whether any cron entry is actually added. This is not classified as malicious because the artifacts do not show exfiltration, destructive behavior, or hidden credential theft, but the shell-command and persistence risks warrant Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is presented as a version-diff checker, but it also performs update/install actions that clone repositories or install packages. This expands its effective privileges from read-only inspection to code-fetching and workspace modification, which can mislead users into authorizing behavior they did not expect.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code executes external shell commands (`git clone`, `clawhub install`) for a tool whose stated purpose is version comparison. Running subprocesses to fetch and install remote content can introduce arbitrary untrusted code into the local skills workspace, especially since the source repo is built from configurable data.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The `init` flow is described like a harmless synchronization step, but it overwrites the tracked local list with online data. That can silently replace user-maintained state and change what later commands act upon, creating integrity and trust issues even if it is not direct code execution.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that a crontab entry is 'automatically added' every 30 minutes, which implies persistent modification of the user's scheduling configuration without clear opt-in, review steps, or removal guidance. Automatic persistence mechanisms are security-sensitive because they change system behavior beyond a one-time run and can surprise users or be abused to create unwanted background execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically modifying crontab without a prominent warning or explicit consent is security-relevant because it creates persistence and recurring execution on the user's system. In this skill's context, scheduled network checks and update-related behavior make the omission more dangerous, since users may not realize they are authorizing ongoing background activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill modifies the local skills workspace through subprocesses without an explicit warning about filesystem changes. In this context, users may reasonably expect only inspection, so silent writes and installs increase the chance of unintended persistence of remote content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal