ClawHub

节点小宝管理

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote-access service manager, but its install path gives unverified downloaded code persistent root-level access.

Install only on a machine where you are comfortable running a persistent root-level remote-access service. Avoid the curl-to-sudo-bash path, prefer a verified vendor package or checksum/signature-checked archive, and review the systemd service and uninstall behavior before pairing it with an account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script downloads a tarball from a vendor-controlled URL over plain HTTP and then executes its contents as part of installation. Because HTTP provides no transport integrity or authenticity, a network attacker or compromised mirror can replace the payload with arbitrary code, which will then run with root privileges via the created service.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The installer writes a systemd unit that runs downloaded content as User=root and enables it persistently at boot. This turns any compromise of the downloaded package into persistent root-level code execution, greatly increasing impact beyond ordinary service management.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to execute a remotely fetched script as root via a one-liner without any warning or verification step. If the remote host, CDN path, TLS chain, or script content is compromised, this becomes immediate arbitrary code execution with full system privileges.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The uninstall operation is described as removing files but the documentation gives no warning that it is destructive. That can lead to accidental deletion of service data or configuration by a user who expects a reversible stop/disable action instead.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script performs a root-level install from an HTTP source without prominently warning the user that it will fetch remote code, write system files, create a service, and start it. In the skill context, this is more dangerous because the advertised purpose is service management, yet the script silently expands into software installation and execution with elevated privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uninstall path stops and disables the service, removes the systemd unit, reloads systemd, and recursively deletes the installation directory without confirmation. This can cause accidental service disruption or data loss if invoked unintentionally or in an automated context.

Session Persistence

Medium
Category
Rogue Agent
Content
EOF
    
    systemctl daemon-reload
    systemctl enable "${APP_NAME}.service"
    
    info "🚀 启动服务..."
    systemctl restart "${APP_NAME}.service"
Confidence
93% confidence
Finding
systemctl enable

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal