ClawHub

Skill Introduction

Security checks across malware telemetry and agentic risk

Overview

This skill is a local documentation-page generator with an optional user-configured deploy hook, and the reviewed behavior is disclosed and aligned with that purpose.

Use this on skill directories you trust, especially if you plan to publish the output. Run with --no-deploy unless you intentionally configured SKILL_INTRO_DEPLOY_CMD, and only point that variable at a deploy script you control because it will run with your normal user permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
                print("[INFO] First deployment via deploy hook...")
            cmd = shlex.split(deploy_cmd) + [str(out)]
            r = subprocess.run(cmd, capture_output=True, text=True, env=env)
            if r.returncode == 0:
                output_text = r.stdout.strip()
                print(output_text)
Confidence
93% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, env=env)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of sensitive capabilities including reading arbitrary local files, writing output files and cache files, consulting environment variables, invoking shell commands, and optionally deploying via a user-provided command that may access the network. However, the manifest shown does not declare permissions for these capabilities, creating a mismatch that can bypass user expectations and reduce security review visibility. This is more dangerous in context because the deploy hook is explicitly pluggable through an environment variable, which can execute arbitrary commands and expose local data during generation or deployment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill's core purpose is HTML generation, but it also supports executing any external deploy hook specified through an environment variable. That broadens the trust boundary significantly and creates a hidden execution pathway not constrained to safe deployment behavior, making abuse easier in automated agent environments.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The include directive joins the user-supplied relative path with the source file directory and normalizes it, but it never verifies that the resolved path stays within an allowed base directory. An attacker can use values like '../' to traverse outside the document tree and read arbitrary local files that the process can access, which is especially risky in a documentation-generation skill that may process untrusted markdown.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code reads and returns the contents of arbitrary local files referenced by the include directive without any consent prompt, disclosure, or trust boundary enforcement. In the context of a skill that renders and may publish documentation, included file contents could be silently exposed in generated output or deployment artifacts, turning local file access into information disclosure.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal