ClawHub

skill-creator

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its stated skill-building purpose, but its local review viewer can terminate other local processes and it loads third-party scripts into pages containing eval outputs.

Install only if you are comfortable with a skill that can run local Python/shell workflows, spawn eval agents, call Claude/Anthropic tooling, and write review artifacts. Prefer the static viewer mode for sensitive evaluations, avoid using occupied ports, stop any background viewer after review, and do not embed confidential outputs in the CDN-backed viewer unless you accept that external script dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read and write files, execute shell commands, launch Python scripts, and use environment-dependent tooling, but it does not declare any permissions or capability boundaries. That mismatch increases the risk of over-privileged execution and makes it harder for a host system or reviewer to reason about what the skill is allowed to do.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script unconditionally identifies processes bound to the requested port and sends SIGTERM to them before starting its own server. That gives a review utility unnecessary host-management power and can disrupt unrelated local services, developer tools, or security controls if the user points it at a commonly used port.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The top-level description says the tool only generates and serves a review page, but the implementation also kills processes on the selected port. This mismatch is security-relevant because operators may run the tool assuming it is read-only/non-destructive, increasing the chance of accidental disruption.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This viewer loads executable JavaScript and fonts from third-party CDNs at runtime, which creates an unnecessary external trust dependency for a local eval-review tool. If the CDN, dependency, or delivery path is compromised, an attacker could inject script into the review page and access embedded run data, reviewer feedback, or manipulate the UI and saved results.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The top-level description is broad enough to trigger on many generic requests about creating, modifying, testing, benchmarking, or optimizing skills. Over-broad activation can cause the wrong skill to run in unrelated contexts, leading to unnecessary file operations, shell execution, or workflow changes the user did not explicitly request.

Vague Triggers

High
Confidence
94% confidence
Finding
The instruction to make descriptions 'pushy' and trigger on broad related mentions actively encourages ambiguous or excessive skill activation. In context, this is more dangerous because the skill can spawn subagents, execute scripts, write files, and launch background viewers, so accidental triggering can amplify operational and security risk beyond a harmless prompt mismatch.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The file defines two materially different analysis modes in one prompt surface with only prompt-supplied parameters distinguishing them. An LLM or orchestration layer can misclassify the task and follow the wrong instruction set, causing benchmark runs to produce prescriptive skill-improvement advice or post-hoc comparisons to omit required structured output; in a multi-agent pipeline, this can corrupt downstream decisions and evaluations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script logs the full prompt, model response, and especially the model's hidden 'thinking' content to disk in a JSON transcript. Those fields can contain sensitive data from skill contents, eval queries, prior history, and internal reasoning that users typically do not expect to be persisted, creating a confidentiality and prompt-leakage risk if logs are later accessed, shared, or committed.

Session Persistence

Medium
Category
Rogue Agent
Content
4. **Launch the viewer** with both qualitative outputs and quantitative data:
   ```bash
   nohup python <skill-creator-path>/eval-viewer/generate_review.py \
     <workspace>/iteration-N \
     --skill-name "my-skill" \
     --benchmark <workspace>/iteration-N/benchmark.json \
Confidence
88% confidence
Finding
nohup

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal