ClawHub

VPS Fusion Monster Server Test

Security checks across malware telemetry and agentic risk

Overview

This VPS benchmark skill is coherent, but it should be reviewed because it downloads and runs an unverified remote binary and can publicly upload detailed server/network results by default.

Install only if you are comfortable running an upstream binary downloaded at runtime and performing broad external network tests from the target machine. Prefer running as a non-root user on a disposable or test VPS, pass -upload=false unless you intentionally want public result sharing, set CN=false if you want to avoid automatic geolocation checks, and treat --call-ai as sharing raw infrastructure results with the configured AI backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill documentation advertises shell-based execution behavior but provides no declared permissions or trust boundary information. This creates a transparency and consent problem: users may invoke a skill that can execute shell commands without an explicit permission declaration, increasing the risk of unexpected local command execution when paired with the referenced scripts.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README gives conflicting execution models: earlier it says the skill runs by downloading and executing a precompiled upstream binary at runtime, while this section describes source-build and local binary workflows as if they were the primary implementation. That mismatch is security-relevant because users and reviewers may wrongly assume they are auditing local source when the actual deployed behavior may fetch and run remote code, weakening trust and reviewability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that results are uploaded to a public paste service by default (`-upload` default true) without a prominent warning about privacy and data exposure. Test output includes system, network, IP-quality, routing, and service reachability data that can reveal sensitive infrastructure details if automatically published.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown explicitly says the skill will automatically download a platform-specific precompiled binary at runtime, but it does not warn users about the supply-chain risk of fetching and executing remote binaries. Executing an opaque downloaded binary can lead to full code execution on the host if the upstream source, mirror, CDN, transport, or release artifact is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs broad network testing, service reachability checks, traceroutes, streaming unlock probes, IP quality checks, and multi-node speed tests, but the description does not clearly warn that it will contact many third-party services. This can expose the user's IP, trigger provider monitoring or rate limits, and generate unexpected traffic or policy violations in sensitive environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When --call-ai is used, the script pipes the full generated prompt to llm, aichat, or ollama. That prompt contains potentially sensitive infrastructure metadata such as public IP address, ASN, location, routing, and service reachability; depending on the backend configuration of those tools, the data may be transmitted to remote model providers without an explicit consent gate or redaction step.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script automatically downloads the latest remote release binary and executes it locally without any integrity verification, pinning, or explicit user confirmation at runtime. This creates a real supply-chain risk: if the upstream release, CDN path, or transport endpoint is compromised, arbitrary code will be executed on the host under the invoking user's privileges.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script queries third-party geolocation services to infer whether the system is on a China-based network, which discloses the host's public IP and metadata to external services without prominent warning or opt-in. While not code execution, this is a privacy and data-exposure issue that may be sensitive in managed, enterprise, or regulated environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script's documented parameter passthrough exposes an upstream '-upload' capability that may transmit benchmark results externally, but the wrapper does not prominently warn users about potential outbound data transfer. In this context, the danger is increased because all arguments are forwarded directly to the downloaded binary, so users may unknowingly enable remote data submission through inherited upstream behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal