ClawHub
Back to skill

Security audit

skelm

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent helper for building and running skelm workflow pipelines, with sensitive gateway, environment, and agent capabilities disclosed in its docs.

Install only if you intend to use skelm to run workflow or agent pipelines. Keep the gateway bound to localhost unless bearer auth and network controls are configured, avoid putting broad secrets in inherited environment variables, and grant agent filesystem, command, MCP, network, and secret permissions only for the specific workflow being run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template config explicitly sets the gateway server to `auth: { mode: 'none' }`, which disables authentication. Even though the server binds to `127.0.0.1`, this can still expose privileged local control to other local users/processes, containers, browser-based localhost attacks, or unintentionally broadened exposure if the host binding is later changed without updating auth.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly states that subprocess steps, agents, and MCP servers inherit the merged environment, but it does not prominently warn that this can expose secrets from .env or process.env to child processes. In a system designed to spawn commands and third-party integrations, inherited credentials materially increase the risk of unintended secret disclosure or misuse.

Credential Access

High
Category
Privilege Escalation
Content
### `.env` / `config.env` loading (v0.4.3)

The CLI merges `<projectRoot>/.env` and `config.env` into `process.env` at startup. Precedence: `process.env > .env > config.env`. Subprocess steps (`ctx.exec`, agents, MCP servers) inherit the merged env. Add `.env` to `.gitignore` for secrets; use `config.env` inside `skelm.config.mts` for non-secret defaults like model names and base URLs.

---
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
### `.env` / `config.env` loading (v0.4.3)

The CLI merges `<projectRoot>/.env` and `config.env` into `process.env` at startup. Precedence: `process.env > .env > config.env`. Subprocess steps (`ctx.exec`, agents, MCP servers) inherit the merged env. Add `.env` to `.gitignore` for secrets; use `config.env` inside `skelm.config.mts` for non-secret defaults like model names and base URLs.

---
Confidence
94% confidence
Finding
.env

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.