ClawHub

SkillWiki

Security checks across malware telemetry and agentic risk

Overview

SkillWiki is a disclosed ClawHub skill-review helper that downloads and inspects skill packages, with some hardening gaps users should understand before running it.

Install this only if you want a slug-based ClawHub skill review helper. Expect it to contact the configured download endpoint, download a ZIP, extract it in a temporary directory, read skill files from that package, and optionally update skillwiki.ini for language or endpoint settings. For unpublished or locally modified skills, inspect the local files separately because this workflow intentionally reviews the downloaded ClawHub package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and instructs use of a helper script that downloads remote skill packages, reads their contents, and may write local configuration, yet the skill declares no explicit permissions or equivalent warning boundaries. This mismatch increases the chance that users invoke network, file-read, and file-write behavior without informed consent or proper sandbox expectations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description claims the workflow is to download JSON and never read target skill files directly, but the documented behavior indicates downloading full ZIP archives, extracting them, reading their files, scanning scripts, and allowing endpoint/config overrides. That discrepancy is security-relevant because it conceals a larger attack surface: archive extraction, local file inspection, persistent state changes, and trust in a configurable remote source.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The markdown instructs the model to download remote content and update local configuration, but does not require an explicit warning or confirmation to the user before network access or persistent local state changes. That can lead to silent outbound requests and durable modifications to configuration, which are risky in agent environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script downloads an untrusted ZIP from a remote URL and extracts it with zipfile.extractall() without validating member paths, sizes, or archive structure. A malicious archive could exploit zip-slip style path traversal to overwrite files outside the temporary directory, and decompression bombs or oversized archives could exhaust disk space during analysis.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal