ClawHub

EDA Spec2GDS

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for an EDA workflow, but it needs Review because its setup and preview paths can make privileged host changes and expose local artifacts over the network.

Install or run this skill only in a disposable VM, containerized development environment, or dedicated EDA workstation. Review the install scripts before execution, avoid running them on shared or production systems, and do not start the dashboard unless you are comfortable exposing generated project artifacts to other machines on the network. Prefer preinstalled tools or manual installation when possible, and consider changing dashboard binds to 127.0.0.1 before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document asserts 'No sensitive information found' and frames the skill contents as safe, but later acknowledges privileged capabilities, network access, Docker use, and system-modifying installation scripts. This mismatch can mislead reviewers or operators into underestimating the real security posture of the skill, increasing the chance that risky setup steps are run without appropriate isolation or scrutiny.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script binds a ThreadingHTTPServer to 0.0.0.0 and serves the reports directory over the network, making demo artifacts accessible to any host that can reach the port. In the skill context, these reports may include design outputs, paths, progress metadata, or other sensitive build artifacts unrelated to a minimally necessary local workflow, so exposure is broader and more dangerous than a local-only demo server.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The workflow explicitly instructs the agent to create and overwrite multiple workspace files across input, RTL, verification, synthesis, and backend directories without requiring a user-facing notice or confirmation. In an agentic environment, this can lead to unintended modification of user projects, accidental clobbering of existing artifacts, or execution of a broad file-writing workflow when the user may only have requested analysis or advice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs host-level package installation, enables services, and modifies user/group membership with elevated privileges, but it does not present a clear upfront warning or confirmation before changing the system. In an agent-skill context, this is dangerous because users may invoke it expecting a local demo and instead unknowingly alter the host OS, Docker service state, and login permissions.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
Before using this skill, ensure your environment has:

**Required Tools:**
- `python3` (3.8+)
- `yosys` (synthesis)
- `iverilog` + `vvp` (simulation)
Confidence
83% confidence
Finding
Tools:*

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
- `iverilog` + `vvp` (simulation)
- `docker` (OpenLane backend)

**Optional Tools:**
- `verilator` (faster simulation)
- `klayout` (GDS visualization)
- `gtkwave` (waveform viewing)
Confidence
91% confidence
Finding
Tools:*

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
permissions:
      - sudo_access  # Required only for initial toolchain installation
      - docker_group  # Required for OpenLane backend runs
    install_script: scripts/install_ubuntu_24_mvp.sh  # Optional, requires sudo
  warnings:
    - This skill includes optional installation scripts that modify system state (apt packages, Docker group, pip virtualenvs)
    - Run installation scripts only in isolated environments (VM, container, or development machine)
Confidence
95% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# eda-spec2gds Skill

> **⚠️ Security Notice:** This skill includes optional system installation scripts (`scripts/install_ubuntu_24_mvp.sh`, `scripts/bootstrap_eda_demo.sh`) that require sudo access and modify system state. These scripts should only be run in isolated development environments (VM, container, or dedicated workstation), not production systems. Core skill operations (RTL generation, file management, report collection) are file-based and safe.

Execute a staged, artifact-first open-source EDA flow within the workspace. Prefer deterministic scripts for execution, keeping the agent focused on planning, generation, diagnosis, and iteration.
Confidence
96% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
python3-venv

sudo systemctl enable --now docker
sudo usermod -aG docker "$USER"

python3 -m venv "$HOME/.venvs/openlane"
# shellcheck disable=SC1091
Confidence
90% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
python3-pip \
  python3-venv

sudo systemctl enable --now docker
sudo usermod -aG docker "$USER"

python3 -m venv "$HOME/.venvs/openlane"
Confidence
88% confidence
Finding
systemctl enable

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal