ClawHub

Skill创建工厂

Security checks across malware telemetry and agentic risk

Overview

This looks like a real skill-generation tool, but it can persistently write potentially executable skill files in caller-controlled locations without enough containment.

Install only if you trust the workflows that will call it. Use it in a sandboxed workspace, avoid arbitrary output_dir values and resource filenames, and review generated scripts before allowing created skills to persist or run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
This skill advertises and orchestrates sensitive capabilities—file reads/writes and likely shell-backed validation/packaging—without any declared permissions or trust boundary information. Because it is a callable skill factory that can create arbitrary files and scripts from structured input, the missing permission declaration hides powerful behavior from reviewers and enables downstream misuse, including creation of persistent or dangerous skills.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The specification explicitly says the description field is the primary triggering mechanism and only advises adding broad trigger phrases like what the skill does and when to use it, without requiring tight scope boundaries, exclusions, or disambiguation rules. In a callable skill factory, this can cause over-broad or unintended activation by other skills or automation workflows, increasing the chance of unsafe skill creation or execution in the wrong context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The function writes attacker-controlled filenames and contents into scripts, references, and assets with no filename sanitization. Because nested path components like '../' or absolute paths are not blocked, a crafted name can escape the intended skill directory and overwrite arbitrary files writable by the process; executable bits may also be set on attacker-supplied .py/.sh files.

Session Persistence

Medium
Category
Rogue Agent
Content
## Workflow

1. **Validate parameters** - Check skill_name format, required fields
2. **Create directory structure** - `skill_name/` with appropriate subdirectories
3. **Generate SKILL.md** - Write frontmatter + instructions
4. **Create resources** - Write scripts, references, assets if provided
5. **Validate** - Run skill validation (optional, default: on)
Confidence
90% confidence
Finding
Create directory structure** - `skill_name/` with appropriate subdirectories 3. **Generate SKILL.md** - Write frontmatter + instructions 4. **Create resources** - Write scripts, references, assets if

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal