ClawHub

Forge AI Skill

Security checks across malware telemetry and agentic risk

Overview

This Forge AI helper appears purpose-built, but it handles passwords and saved login tokens in ways users should review before installing.

Install only if you trust the Forge AI endpoint and are comfortable with authenticated remote content changes. Avoid typing real passwords directly in shell commands when possible, keep the workspace private, do not commit .forgeai/session.json, review JSON payloads before sending them, and run logout when finished to remove the cached token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes network access and local file writes, including storage of auth tokens in `.forgeai/session.json`, but does not declare permissions or clearly scope those capabilities. Hidden or undeclared side effects are security-relevant because users and platforms may invoke the skill without understanding that it can persist sensitive state and communicate with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented trigger model says the skill should only be used when a user explicitly starts with `/forge`, but the described behavior includes a standalone CLI, local state persistence, and auxiliary publishing behavior not reflected in the declared purpose. This mismatch is dangerous because operators may trust the narrow description while the implementation exposes broader capabilities, increasing the chance of unintended execution, data leakage, or unauthorized external actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Including broad trigger keywords such as `forge` and `forge-ai` can cause the skill to activate when users merely mention those terms rather than intentionally invoking `/forge`. Because the skill supports authentication, network requests, and local state changes, accidental invocation has meaningful security consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that `.forgeai/session.json` stores auth token and user info but does not prominently warn users in the description that sensitive authentication material is persisted locally. Local token storage raises theft and misuse risks on shared systems, backups, or environments with weak file permissions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The example `forge_client.py login <email> <password>` encourages passing credentials directly on the command line, where they may be exposed through shell history, process listings, audit logs, or terminal recording. This is a well-known credential-handling risk and is especially dangerous for a skill that authenticates to an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Stating that the JSON file is transmitted as the exact HTTP `data` field means arbitrary file contents are sent verbatim to the remote API, but the skill description does not clearly warn users about that trust boundary. Without explicit notice, users may place secrets, local-only notes, or unsafe content into files that are then exfiltrated to the service unintentionally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The client stores the session token in plaintext on disk under a predictable path in the current working directory. On multi-user systems, shared directories, or checked-in project folders, this can expose bearer tokens to other local users or leak them through backups, sync tools, or source control.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal