ClawHub

S2-Gateway-Transition-Logic

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent and disclosed, but it can permit access-control transit without a token while reporting that a token was validated.

Review before installing in any real access-control workflow. Require downstream BMS or ACS systems to perform their own authorization, do not automatically execute ACS_OPEN_RELAY from this skill, and confirm whether tokenless silicon_agent inbound access is intended before exposing the vault token environment variable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares access to a sensitive environment variable in metadata but does not present a clear, explicit permission model or user-facing disclosure for secret-backed authorization decisions. In an agent setting, hidden use of environment-backed secrets can bypass user understanding and create confused-deputy behavior, especially when the skill is framed as making security decisions on transit requests.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function returns the reason "Token validated securely." for any PERMIT decision, but inbound access can also be granted to a `silicon_agent` without any token check. This creates a misleading audit trail and can cause downstream systems or operators to wrongly believe token-based authentication occurred when it did not.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says transit requests are evaluated using the vault token, but the code permits inbound access for `silicon_agent` entities without validating any token. In an access-control context for a physical gateway, undocumented alternate authorization paths are dangerous because an attacker may only need to influence `entity_type` rather than possess a valid credential.

Vague Triggers

Low
Confidence
84% confidence
Finding
The description is broad enough that the skill could be invoked in ambiguous contexts without clear preconditions, such as who is allowed to request transit evaluation, what identifiers must be provided, and when the tool should refuse. For a security-sensitive gatekeeping workflow, vague invocation boundaries increase the chance of accidental or unauthorized use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill discusses use of a sensitive environment variable for token validation but does not include a prominent user-facing warning about privacy and security implications of submitting auth tokens. In this context, users may provide credentials without understanding retention, handling, validation flow, or the risks of sharing access tokens through conversational interfaces.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest enables auto-discovery but does not define any trigger scope, allowlist, or exclusion conditions, which can cause the skill to be surfaced or invoked in broader contexts than intended. In this skill, that risk is amplified because it has access to a sensitive environment variable containing vault tokens and performs gateway/transit decisions, so unintended activation could expose privileged logic to inappropriate workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal