ClawHub

Scheme Generation Design Writing

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its documentation tells users to weaken Figma HTTPS security and it indexes sensitive local project inventories.

Install only if you are comfortable letting it scan a deliberately limited historical-project folder and create a local project index containing names, paths, and file lists. Do not follow the manual's advice to disable SSL verification for Figma; configure trusted certificates/proxy settings instead. Store any Figma token securely, keep it read-only, and avoid using confidential client or product files unless you are authorized to process and retain them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs scanning local historical project directories, reading project files, and writing generated documents and index files, but it does not declare permissions for those file system capabilities. Undeclared read/write access is dangerous because users and orchestrators cannot accurately assess what data the skill will touch, increasing the risk of unintended access to sensitive project materials and silent persistence of derived artifacts.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The stated purpose focuses on generating concept proposals and design descriptions, but the documented behavior also includes broad local directory traversal, indexing, ranking/retrieval, JSON output generation, and repository/config validation tasks. This mismatch is dangerous because it obscures materially different data-processing behavior from users, which can lead to overbroad access to local files and trust decisions based on incomplete disclosure.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The examples document claims the skill can generate design documentation from images/PDFs, but the skill metadata says design-doc generation depends on the Figma skill. This mismatch can cause agents or users to provide unsupported local files, leading to unsafe assumptions about what data sources the skill may ingest and potentially triggering unintended file-access behavior in downstream tooling.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The FAQ states support for image, PDF, and Sketch-exported designs even though the skill description limits design input to Figma via the figma skill. Contradictory capability claims are dangerous because they broaden perceived input scope, increasing the chance that an agent will mishandle local files or invoke unsupported processing paths on sensitive design artifacts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly instructs users to modify the dependent Figma client to disable TLS certificate verification and suppress related warnings. This creates a real man-in-the-middle risk for any Figma API traffic and is not necessary for a document-generation skill’s core purpose, making interception or tampering of design data and tokens much easier.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script prints and emits in JSON the matched project path plus detailed file metadata, which can expose internal repository structure and sensitive historical project inventory to any caller of the skill. In this skill context, historical project materials are likely proprietary design assets, so disclosing paths and file lists exceeds the minimum needed for proposal generation and increases data exposure risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code implements a broad project discovery interface that ranks and returns historical projects based on free-form queries, effectively providing a searchable catalog of internal assets. For a skill whose stated purpose is generating templates and design docs, this expands the accessible surface area and can be abused for reconnaissance or bulk discovery of sensitive prior work.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages processing historical project materials and Figma/image content, which commonly contain confidential product plans, internal design systems, user data, or client assets, but it provides no privacy, consent, retention, or access-control guidance. In a documentation-generation skill, this omission increases the risk that operators will ingest sensitive design data into the tool without understanding exposure boundaries or compliance requirements.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description includes broad keyword-based activation such as references to '方案模板', '设计说明', '概念方案', 'design doc', and 'design proposal', which can match many ordinary conversations. Overbroad triggers are risky because they may cause the skill to activate unexpectedly and initiate local file indexing or external Figma-related processing in contexts where the user did not intend those actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description does not clearly warn that it reads and indexes historical project files and writes generated Word documents and index artifacts to disk. In this context, the historical projects are likely to contain confidential design, product, or customer materials, so missing disclosure increases the chance of unintended exposure, retention, or processing of sensitive enterprise data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises dependence on a Figma integration but does not clearly inform users that Figma links and related design data may be sent to that dependent service for extraction and analysis. This matters because design files often contain unreleased product details, branding assets, and internal annotations, so undisclosed transmission to another component can create privacy and confidentiality risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples describe reading historical project documents, Figma content, and local image files without any privacy, consent, or data-handling warning. Because these sources can contain proprietary product plans, customer data, or internal design assets, the omission may encourage users or agents to process sensitive material without appropriate authorization or minimization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to process historical project documents, design files, and Figma content, and to generate output documents, but it does not warn about sensitive data exposure, confidentiality, or IP/privacy risks. In this skill’s context, users are likely to feed proprietary client materials and internal design artifacts, so omission of data-handling cautions can lead to unintended disclosure or inappropriate reuse of sensitive content.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation tells users to place a long-lived Figma personal access token into a local `.env` file but gives no warning about file permissions, secret handling, rotation, or exclusion from source control. While storing a token locally is common, omitting basic secret-hygiene guidance increases the chance of credential exposure and unauthorized access to Figma files.

Missing User Warnings

High
Confidence
97% confidence
Finding
The document not only advises disabling SSL verification and bypassing proxy configuration, but also fails to warn users that these changes undermine transport security and may violate enterprise network controls. In context, this is especially risky because the same integration uses an access token, so weakened HTTPS protections can directly expose credentials and data in transit.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal