ClawHub

Skill Hub Query

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Hub-management tool that queries, installs, and edits skills with user-facing controls, though users should be careful with tokens and edit/install approvals.

Install only if you intend to let an agent manage skills from a Hub. Configure SKILL_HUB_URL only for a Hub you trust, keep tokens private, review install/edit diffs, and only allow --yes after you have explicitly approved the exact install or metadata change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases are broad enough that ordinary conversation like 'install X' or 'what's new on the hub' could invoke a skill that performs network operations and local installation. Over-broad activation increases the chance of unintended execution, especially in multi-skill environments where the agent may select this skill without the user intending privileged actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The workflow says to run scripts whenever the user asks a 'Hub-related question' and gives very broad examples. That permissive activation logic can cause the agent to execute shell/network actions on vague prompts, increasing the risk of accidental installs, reconnaissance against configured hubs, or invocation by prompt collisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The doctor command sends the configured token to the remote Hub during an authenticated connectivity probe, but the script does not present a clear user-facing warning that running diagnostics will transmit credentials off-host. In a security-sensitive environment, users may treat a 'doctor' command as local-only; this can cause unintended credential disclosure to a misconfigured, malicious, or attacker-controlled endpoint.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The diagnostic performs a remote PUT request to probe whether the /edit route is mounted, yet only describes it as a probe and does not emphasize that this is a state-changing HTTP verb against a remote service. Even with an empty body and fake slug, some servers, proxies, or nonstandard implementations could log, trigger workflows, or unexpectedly mutate state, making this riskier than a read-only health check.

Chaining Abuse

High
Category
Tool Misuse
Content
local to_delete
    to_delete=$(echo "$backups" | tail -n +"$((EDIT_BACKUP_RETENTION + 1))")
    if [[ -n "$to_delete" ]]; then
      echo "$to_delete" | xargs -r rm -f
    fi
  fi
Confidence
84% confidence
Finding
| xargs -r rm

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal