ClawHub

Xiang miles | Space2.world

Security checks across malware telemetry and agentic risk

Overview

This skill is a small local 3x3 pod manager that reads local JSON pod state and writes local chat logs, with no evidence of network exfiltration or hidden destructive behavior.

Install only if you are comfortable with local chat messages being saved in s2_matrix_data. Avoid typing secrets into the chat, and use pod JSON files you trust because pod metadata influences displayed text and log filenames.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
The manifest presents the skill as a narrowly scoped 3x3 grid manager, but the code reportedly exposes broader JSON-backed file read/write capabilities. That scope expansion increases risk because consumers may invoke or approve the skill under a false assumption of limited functionality, while it can act as a more general local file manipulation primitive.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest presents the skill as a narrowly scoped 3x3 grid manager, but the code reportedly exposes broader JSON-backed file read/write capabilities. That scope expansion increases risk because consumers may invoke or approve the skill under a false assumption of limited functionality, while it can act as a more general local file manipulation primitive.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill persists user-entered chat content and pod metadata to local log files without an explicit warning or consent flow before collection. This can expose sensitive user input to other local users, backups, or later processes, especially since logs are written in a predictable location and retained indefinitely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal