ClawHub

Ai Bug Fixer

Security checks across malware telemetry and agentic risk

Overview

This is a simple bug-fixing helper, but its bundled scripts appear to be canned demos rather than real log analysis or patch generation.

Install only if you want a lightweight illustrative debugging helper. Do not rely on its script output as real analysis unless you verify it yourself; review generated fixes in version control and run tests before applying anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The function is presented as a log analyzer but never parses or inspects the supplied log input, instead returning fixed mock data. In a bug-fixing skill, this can mislead users into trusting fabricated diagnostics, causing incorrect remediation decisions and masking real operational or security issues in logs.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The function is presented as a patch generator that should derive a diff from the provided buggy and fixed inputs, but it always returns the same hard-coded patch. In a bug-fixing skill, this is dangerous because downstream users or agents may trust the output as a real remediation artifact, leading to incorrect fixes, failed deployments, or silent corruption of engineering workflows.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The docstring and function name claim to generate a patch, but the implementation ignores the caller-controlled data and emits a canned example diff. This mismatch is a security-relevant integrity issue because other components may consume the artifact as if it were genuine, causing unsafe automated patching decisions in a skill explicitly intended to diagnose and fix bugs.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger conditions are broad ('when the user needs' diagnosis, fixes, exception advice, regression tests, or patches), which can cause the skill to activate in many code-related contexts without clear boundaries. In an agent setting, overbroad activation increases the chance of the skill receiving sensitive source code, logs, stack traces, or making changes when a narrower tool should have been used.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal