ClawHub

LMFiles

Security checks across malware telemetry and agentic risk

Overview

LMFiles is a disclosed helper for uploading files to lmfiles.com, but users should only use it for files they intentionally want to make publicly shareable.

Install only if you trust lmfiles.com and intend to upload files there. Review each file before upload, assume returned links are public, verify file IDs before deletion, and keep LMFILES_API_KEY and LMFILES_BOOTSTRAP_TOKEN out of chat logs and shared transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough to trigger on many ordinary file-sharing or file-handling requests, increasing the chance the skill is selected when a safer local-only workflow would be more appropriate. In this context, overbroad matching is risky because the skill uploads content to a public external host, which could expose sensitive files if invoked too eagerly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script uploads an arbitrary local file to a third-party service and sends the API key in the same request, but provides no explicit warning, confirmation, or disclosure to the user at execution time. In an agent or automation context, this increases the risk of unintended data exfiltration because a caller may trigger uploads of sensitive files without realizing they are being transmitted off-host to a public file-hosting service.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
export LMFILES_BOOTSTRAP_TOKEN="<bootstrap-token>"

curl -sS -X POST https://lmfiles.com/api/v1/accounts/register \
  -H "Content-Type: application/json" \
  -d '{"username":"my-bot","bootstrap_token":"'"$LMFILES_BOOTSTRAP_TOKEN"'"}'
Confidence
80% confidence
Finding
curl -sS -X POST https://lmfiles.com/api/v1/accounts/register \ -H "Content-Type: application/json" \ -d '{"username":"my-bot","bootstrap_token":"'"$LMFILES_BOOTSTRAP_TOKEN"'"}' # Copy api_key fr

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal