ClawHub
Back to skill

Security audit

Clawdbot Security Suite.Bak

Security checks across malware telemetry and agentic risk

Overview

This security skill is purpose-aligned, but its automatic hook and examples create review-level risk by shell-executing tool-derived input, failing open, and logging sensitive values locally.

Review before installing, and prefer manual CLI use over enabling the automatic hook until the hook avoids shell-built execution, fails closed on errors or unclear output, and documents/redacts local logs. Do not copy the eval-based execution examples into real workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documentation makes a strong privacy claim that analysis is fully local and involves no external calls, while elsewhere it describes updating threat patterns from external sources. This inconsistency can mislead operators into trusting the skill in environments where outbound network access is restricted or sensitive, creating a security and compliance risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The privacy section states there is no data transmission and no external calls, but other sections advertise community threat intelligence and pattern updates. Conflicting security guarantees are dangerous because users may enable the skill under false assumptions about data flow and network isolation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The hook builds a shell command string from untrusted values and executes it with execSync, which invokes a shell. Although arguments are wrapped in double quotes, shell metacharacters such as embedded quotes, command substitution, or platform-specific parsing quirks can still break out and enable command injection, especially because tool inputs like commands, URLs, paths, and content are attacker-controlled.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file advertises that it prevents command injection, SSRF, path traversal, and prompt injection, but the actual implementation allows execution whenever the validator is missing, returns an unclear result, throws an error, or the hook itself fails. In a security-control component, this fail-open behavior can let malicious inputs pass precisely when the control is unavailable or attacked, undermining the claimed protection.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documented 'fail-safe' philosophy is inverted: it says to allow execution when validation fails or the skill is missing. In a security skill, this undermines the control entirely because attackers can target validation failures, missing binaries, or ambiguous states to bypass protection and still reach command execution.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The instructions say to 'ALWAYS validate' commands, but the sample logic still executes the command when validation is unclear. That creates a straightforward bypass path where any parser error, unexpected output, or validator malfunction degrades into execution of potentially malicious shell input.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill claims 'No data transmission' and 'no telemetry or external calls' while also documenting a threat-intelligence update mechanism, which strongly implies network communication may occur. Misleading privacy and network-behavior claims can cause operators to deploy the skill in sensitive environments under false assumptions, increasing data handling and compliance risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The hook logs raw tool arguments and later logs full commands, URLs, and paths to a file under the user's home directory and to the console. Those values can contain secrets, internal endpoints, tokens in query strings, filesystem locations, or sensitive user data, creating a secondary exposure channel for anyone with log access or downstream log collection.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The installation instructions direct the agent to download remote content, extract it, copy files into the local skill directory, and change permissions, all without clear user consent or warnings about local system modification. This increases the risk of silent supply-chain compromise or unintended filesystem changes in environments where agents may execute such instructions automatically.

Missing User Warnings

High
Confidence
99% confidence
Finding
The example recommends running user-derived shell commands through eval, which is inherently dangerous because it re-interprets shell metacharacters and expansions. Even with prior validation, parser gaps or output ambiguities can turn attacker-controlled input into arbitrary command execution.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The web request integration encourages fetching user-supplied URLs after a validator check but does not require informing the user that an external request will be made. In agent contexts, this can expose internal metadata, identifiers, or user-derived data to third parties and can amplify SSRF-style risks if validation is incomplete.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The installation instructions copy files into the user's Clawdbot skill directory and later encourage enabling hooks, which changes local agent behavior and persists beyond the current session. While this is normal for installation documentation, the lack of an explicit warning about modifying local configuration and execution flow can mislead users into making persistent changes without understanding the security implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README recommends validating a command string and then executing it with eval, which re-parses shell metacharacters and allows arbitrary command execution if validation is bypassed, incomplete, or incorrectly integrated. In a security-focused skill, this is especially dangerous because users may place undue trust in the validator and adopt an unsafe execution pattern in real workflows.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger guidance is overly broad, telling agents to use the skill before file operations and when processing external content without clear limits. In agent systems, vague always/before rules can cause over-invocation, denial of service, unnecessary exposure of sensitive content to secondary tooling, and unpredictable control-flow behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to 'Always validate external content' is unscoped and can lead an agent to route nearly all external inputs through this skill. That can create excessive tool use, recursive scanning patterns, performance issues, and accidental handling of data that did not need secondary processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This script logs raw user-supplied inputs such as commands, URLs, paths, and scanned content to a persistent file under the user's home directory without warning, consent, masking, or minimization. Because the tool is explicitly used to inspect potentially sensitive or dangerous strings, the log can accumulate secrets, internal URLs, filesystem paths, prompt contents, and other confidential data that may later be exposed to other local users, backup systems, support bundles, or unrelated processes.

Session Persistence

Medium
Category
Rogue Agent
Content
### Step 3: Install Security Hook (Advanced)
```bash
# Copy hook to Clawdbot hooks directory
mkdir -p ~/.clawdbot/hooks/
cp -r clawdbot-security-suite/hooks/security-validator ~/.clawdbot/hooks/

# Enable the hook
Confidence
86% confidence
Finding
mkdir -p ~/.clawdbot/hooks/ cp -r clawdbot-security-suite/hooks/security-validator ~/.clawdbot

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal