ClawHub

Skill Release Audit

Security checks across malware telemetry and agentic risk

Overview

This is a local skill-audit tool whose only meaningful side effect is a clearly documented, opt-in Python dependency installer.

Safe to install if you want a local static auditor for skills. Run it normally for read-only reports; use --auto-install only when you intentionally want pip to contact package registries and install packages into the active Python environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Attempt pip install. Returns (success, message)."""
    pip_name = pip_package_name(pkg_name)
    try:
        result = subprocess.run(
            [sys.executable, "-m", "pip", "install", pip_name, "--quiet"],
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
result = subprocess.run( [sys.executable, "-m", "pip", "install", pip_name, "--quiet"], capture_output=True, text=True, timeout=timeout,

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is marketed as report-only and non-mutating by default, but the documented `--auto-install` mode permits environment modification and likely network access through pip. This can mislead operators, policy engines, or reviewers into approving a tool under weaker assumptions than its full behavior warrants, increasing the chance of unintended package installation or supply-chain exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This module performs package installation even though the skill metadata describes the skill as a pure reporter that never edits files. That mismatch is dangerous because users may run the auditor expecting read-only behavior, while it can instead alter the local environment and trigger execution of third-party package installation logic.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A subprocess-based installer is not justified for a static audit tool and materially increases risk. Installing packages from names derived from scanned imports can expose the host to dependency confusion, malicious packages, or execution of setup/build hooks during installation.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The docstring explicitly advertises auto-install behavior, which contradicts the higher-level skill description claiming the skill is a pure reporter. While documentation mismatch alone is not code execution, here it reflects a real unsafe capability and increases the chance that reviewers or users misunderstand the module's side effects.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script exposes an `--auto-install` mode that can modify the local Python environment, which contradicts the skill's stated behavior as a pure reporter that never edits files or changes state. In an agent-skill context, users may trust the tool as non-mutating and run it automatically, so hidden or underemphasized environment changes can lead to unintended package installation, supply-chain exposure, and policy bypass.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The CLI wiring turns on package installation when `--auto-install` is passed, even though a pre-publish static auditor does not need execution-side remediation to fulfill its purpose. This expands the attack surface from analysis into environment mutation, creating risk from untrusted dependency resolution and unexpected side effects in CI or developer machines.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The usage text and module description frame the tool as report-only, but the implementation includes an option to mutate the environment. This mismatch is security-relevant because operators, agents, or automation may grant broader trust to an auditor than they would to an installer, increasing the chance of unsafe execution under false assumptions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal