ClawHub

Crash Fixer

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate crash-fixing purpose, but it needs review because it sends sensitive crash and repository data to an external AI service and can create code-changing GitHub pull requests by default.

Install only if you are comfortable with crash data and source snippets being sent to MiniMax/ZAI and with the skill creating GitHub branches, commits, and PRs. Use --dry-run first, provide a least-privilege GitHub token limited to the target repository, verify the crash reporter URL, and require human review before allowing non-dry-run runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares access to environment variables and clearly describes networked actions, but it does not expose an explicit permissions model to users despite being user-invocable. That creates a transparency and review gap: a user may trigger a workflow that can read sensitive tokens and call external services without an adequate permission warning.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially differs from the observed behavior: it references Cloudflare D1 and Codex 5.3 High, while the implementation reportedly uses a generic REST crash service, MiniMax, repository code search, and writes status data back to the service. This mismatch undermines informed consent and risk assessment, because users may authorize or invoke the skill under false assumptions about where data is sent, what model sees the code/crash data, and what side effects occur.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims crash analysis is performed with Codex 5.3 High, but actually sends crash data to MiniMax. This matters because the prompt includes user IDs, device details, messages, stack traces, and repository code context, so the undocumented model/provider substitution changes the trust boundary and can expose sensitive data to an unexpected third party.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is user-invocable and performs potentially destructive repository actions, but the description does not clearly warn that normal operation creates branches, commits, and pull requests. In this context, omission is risky because the skill also has access to GitHub credentials and autonomous fix generation, so a user may trigger code changes without appreciating the resulting external side effects.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code constructs a prompt containing crash message, stack trace, app version, user ID, and device info, then sends it to an external AI API. In a crash-fixing skill, this is especially dangerous because crash reports often contain sensitive user data, internal paths, tokens, and proprietary source context, creating a clear confidentiality and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal