ClawHub

Solo Impl

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Solo CLI robot executor, but it can run shell commands and move physical hardware with too little final confirmation for several high-impact actions.

Install only if you intentionally want an agent to run Solo CLI commands on your machine and control attached robot hardware. Stay physically present, keep the robot workspace clear, review displayed commands carefully, avoid shell-special characters in names/paths/tasks, prefer local-only datasets unless you mean to upload, and use least-privilege HuggingFace/W&B credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The prompt explicitly authorizes execution of non-Solo utilities such as git, curl, source, echo, ls, and osascript in addition to Solo CLI commands. That materially broadens the skill’s execution surface beyond its stated purpose and creates a path for filesystem inspection, remote fetch/execution, and terminal automation that can be abused if user intent is ambiguous or prompt parameters are manipulated.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill permits credentialed network actions such as HuggingFace pushes and W&B logging as part of autonomous execution. Those actions can exfiltrate datasets, metadata, or model artifacts to third-party services and extend impact beyond the local terminal-execution purpose, especially because the agent proceeds after only a disclosure rather than an explicit approval at execution time.

Vague Triggers

High
Confidence
91% confidence
Finding
The activation criteria include broad phrases like 'run', 'execute', and 'do it for me', which are likely to match ordinary conversation and cause this autonomous execution skill to trigger unexpectedly. Because the skill is designed to run shell commands and open real terminals, accidental invocation can lead to unintended system changes or robot actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports pushing recorded datasets to HuggingFace Hub, but the manifest does not provide a clear privacy or data-transmission warning before enabling upload behavior. Because dataset recording may include camera feeds, robot trajectories, and task metadata, a user could unintentionally publish sensitive visual or operational data to a remote service.

Vague Triggers

Low
Confidence
87% confidence
Finding
The training action is defined for an autonomous executor that actually runs shell commands, but the description and trigger language do not impose clear confirmation or authorization boundaries before starting a potentially expensive and state-changing operation. In this context, broad activation criteria can cause unintended training runs, resource consumption, overwriting outputs, or pushing artifacts to external services if optional parameters are set.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The inference action can autonomously control a physical robot arm, yet its activation description is ambiguous about when the executor should run it. In a robotics context, accidental invocation is more dangerous than ordinary software execution because it can lead to unintended physical movement, equipment damage, or safety hazards to nearby people.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt directs the agent to launch long-running replay, training, and inference jobs immediately after parameter collection without requiring a user-facing display of the exact command or a final execution confirmation. In a skill that can affect hardware behavior and consume local compute resources, this reduces informed user control and increases the chance of unintended robot motion, resource exhaustion, or accidental use of wrong datasets/models.

Natural-Language Policy Violations

Low
Confidence
83% confidence
Finding
The prompt forbids the agent from offering the user the safer alternative of running commands themselves and mandates autonomous execution. That removes a meaningful safety control, especially for commands that install software, manipulate device state, or open terminal windows, and pressures the interaction toward high-trust automation only.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The skill is an autonomous executor that directly runs terminal commands, and its description is broad enough to match general phrases like 'do it for me' or 'run'. That increases the chance of unintended invocation, which in this context can trigger real environment setup or robot-control actions without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The node instructs deletion of a partial dataset 'when prompted' without requiring an explicit user-facing warning or fresh confirmation in the manifest itself. In a skill designed to execute terminal actions autonomously, this increases the chance of unintended data loss if the wrong dataset path/name is targeted or the prompt is misunderstood.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"command": "solo setup-usb",
    "inputs": [],
    "parameters": {
      "--yes / -y": "Skip confirmation prompt"
    },
    "explanation": "Adds the current user to the dialout group for serial access to Koch/SO100/SO101 arms. Only needed on Linux. Informational-only on macOS.",
    "expected_output": "USB permissions configured successfully",
Confidence
86% confidence
Finding
Skip confirmation

External Script Fetching

Low
Category
Supply Chain
Content
"domain": "environment",
    "description": "Install the uv Python package manager",
    "command": {
      "macos": "curl -LsSf https://astral.sh/uv/install.sh | sh",
      "linux": "curl -LsSf https://astral.sh/uv/install.sh | sh",
      "windows": "powershell -ExecutionPolicy ByPass -c \"irm https://astral.sh/uv/install.ps1 | iex\""
    },
Confidence
97% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

External Script Fetching

Low
Category
Supply Chain
Content
"description": "Install the uv Python package manager",
    "command": {
      "macos": "curl -LsSf https://astral.sh/uv/install.sh | sh",
      "linux": "curl -LsSf https://astral.sh/uv/install.sh | sh",
      "windows": "powershell -ExecutionPolicy ByPass -c \"irm https://astral.sh/uv/install.ps1 | iex\""
    },
    "inputs": ["os_platform"],
Confidence
97% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

External Script Fetching

High
Category
Supply Chain
Content
"external_installs": [
      {
        "url": "https://astral.sh/uv/install.sh",
        "method": "curl | sh",
        "purpose": "Official uv Python package manager installer from astral.sh. Disclosed to user before execution.",
        "alternatives": ["pip install uv", "brew install uv (macOS)"]
      }
Confidence
91% confidence
Finding
curl | sh

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal