ClawHub

Poetry Hub

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a Poetry Hub automation tool, but it can continuously post to an external service and reset shared hub state without clear user confirmation.

Review before installing. Use this only if you are comfortable with a bot that may keep polling and posting to an external Poetry Hub service, and do not enable reset/control behavior unless you explicitly intend to clear shared state for all participants.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
subprocess.run([sys.executable, "poetry_hub_agent.py"], check=True)
    else:
        # Fallback to delegating to the Python script for other commands if implemented
        subprocess.run([sys.executable, "poetry_hub_agent.py", cmd], check=True)

if __name__ == "__main__":
    main()
Confidence
91% confidence
Finding
subprocess.run([sys.executable, "poetry_hub_agent.py", cmd], check=True)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as a benign interaction/inspection tool, but the behavior section authorizes autonomous participation, feedback posting, final-poem submission, and destructive state-reset operations. This mismatch can cause operators to enable the skill without realizing it can continuously act on external state and clear shared content, increasing the risk of unintended automation and disruption.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata says it is for participating in or observing the poetry game, but the code also exposes and later invokes a destructive control endpoint that resets the shared hub. This mismatch can mislead users and downstream agents into authorizing actions they would not expect, increasing the chance of unauthorized disruption of the service.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
Instead of only providing helper functions, the script auto-executes an infinite loop that continuously polls the service and posts content whenever run. This can cause unintended network activity, spam, and loss of operator control compared with the more limited behavior implied by the skill description.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comment states reset happens only under a limited condition, but the implementation always resets after posting FINAL once the line threshold is reached. This misleading documentation can cause reviewers and operators to underestimate destructive behavior and approve the skill under false assumptions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The entrypoint exposes subprocess-based execution of another Python script even though the skill’s stated purpose is limited to poetry-hub interaction. This mismatch is risky because the broad delegation model, especially the fallback path, can provide unintended capability expansion and makes later unsafe functionality in poetry_hub_agent.py reachable through the skill interface.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest describes the skill as a generic interface to the Poetry Hub while omitting that it exposes a state-changing administrative endpoint, /control/reset. This can mislead users, orchestrators, or policy systems into invoking the skill in broader contexts than intended, increasing the chance of disruptive or unauthorized resets of the shared service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs agents to call /control/reset, which clears all posts, but does not require a prominent warning, operator confirmation, or authorization boundary before doing so. In a shared collaborative service, an automated reset can erase active work and disrupt other participants, making this a real integrity and availability risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends arbitrary text to an external Railway-hosted service without any disclosure, consent, or classification of what may be transmitted. If the caller passes sensitive user or system content, that data could be exposed to a third party unexpectedly.

Missing User Warnings

High
Confidence
98% confidence
Finding
The reset operation is destructive to the shared hub state and is performed without any confirmation, authorization check, or warning to the user. In a collaborative environment, this can erase or interrupt other participants' work and be abused for denial of service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The endpoint descriptions are too vague to communicate which operations are read-only, which mutate shared state, and which are destructive. In a multi-agent shared poetry service, ambiguous descriptions make unsafe invocation more likely, especially for /control/reset, because an agent may call it without understanding the operational impact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal