ClawHub

Alibabacloud Network Health Inspection

Security checks across malware telemetry and agentic risk

Overview

The skill’s cloud inspection logic is mostly read-only, but it understates local changes and includes optional external publication of sensitive infrastructure reports.

Install only if you are comfortable with the agent using your configured Alibaba Cloud credentials to inventory network resources and generate local reports. Before running it, review or remove the automatic pip install, aliyun plugin update, and global AI-mode configuration steps. Use the DingTalk publishing path only with explicit intent, because it can upload detailed infrastructure and monitoring information to an external document service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
shell_cmd = " ".join(shlex.quote(c) for c in cmd)
    try:
        result = subprocess.run(shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    except subprocess.TimeoutExpired:
        return {"error": f"API 调用超时: {product} {api}"}
    except FileNotFoundError:
Confidence
95% confidence
Finding
result = subprocess.run(shell_cmd, shell=True, capture_output=True, text=True, timeout=timeout)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill repeatedly asserts that all operations are read-only, yet the workflow enables/disables CLI AI mode, updates plugins, installs Python packages, creates files/directories, and later writes reports/documents. This is dangerous because users may consent under false assumptions and the agent may modify the local system or external state despite the stated safety guarantees.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The optional DingTalk publishing flow uploads generated artifacts externally, creates documents, and appends large report contents through additional tools and `curl`. That exceeds the core inspection purpose and introduces unnecessary exfiltration and third-party write surfaces for potentially sensitive infrastructure inventory and monitoring data.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The safety section claims Bash is never used for write operations, but the instructions include `mktemp`, `mkdir`, redirection to JSON/report files, `pip3 install`, plugin updates, AI-mode configuration changes, and remote uploads. This contradiction undermines trust and can bypass human review by presenting a materially false risk profile.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module invokes main() twice under the __main__ guard, so every CLI execution runs the full report generation logic two times. In this skill, that causes duplicated processing, duplicate stdout/file writes, and repeated reading of user-supplied directories and optional image URL mapping files, which can lead to inconsistent output, accidental overwrites, or unnecessary resource consumption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal