ClawHub

Session Password

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malware, but it mixes session security with poorly scoped payment and recovery behavior that should be reviewed before installation.

Install only after reviewing and fixing the payment and recovery paths. Rotate or remove the embedded billing key, make prices consistent, require explicit consent before any charge, narrow triggers to explicit commands, align setup with the authentication files actually used, and remove plaintext recovery-code logging/storage before relying on this as a security boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This package claims to be a secure authentication guard, but its metadata includes paid billing configuration and an embedded billing API key. That is unrelated to the core security function and materially increases risk by introducing monetization logic and exposing what appears to be a secret credential directly in the package, which can be abused for unauthorized billing or service access.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The header comments state a per-call price of 0.9 USDT and a buyout of 29 USDT, but the code actually charges 0.01 USDT and does not implement the documented buyout flow in the main handler. In a billing-integrated skill, misleading pricing is a security-relevant integrity issue because users, operators, or downstream agents may make trust and payment decisions based on false documentation.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documented logic says access should depend on successful charging or recharge, but the catch block grants access whenever billing fails. This fail-open behavior allows free use of the protected skill during API outages, network errors, or intentionally induced failures, directly bypassing monetization and access control.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
In stub mode, the recovery code is not merely logged but also written to disk and returned in plaintext to the caller. That exposes a live password-reset factor to any local user, process, log collector, or agent with workspace access, which can enable unauthorized password resets.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This script generates security documentation that asserts concrete protections such as bcrypt hashing, lockouts, audit logging, recovery mechanisms, and anti-bypass controls, but the script itself only emits static DOCX content and does not verify that any of those controls actually exist. That creates a documentation integrity issue: operators, reviewers, or downstream users may rely on false security claims and deploy or approve the skill under a mistaken belief that authentication protections are implemented.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The setup wizard explicitly tells users that recovery codes will be sent to the provided email, but this script only validates and stores the address and never generates or sends any recovery code. This creates a security-functionality mismatch that can mislead users into relying on a nonexistent recovery path, potentially causing account lockout and unsafe compensating behaviors.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The final success message reinforces that a recovery code can be requested and sent by email, but no such mechanism is implemented in this file. Repeating this false assurance increases the likelihood that users will trust an unavailable recovery channel during an incident, undermining availability and recovery planning.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script is labeled as a test and comments suggest use of a dummy user ID, but it sends authenticated requests to the live production billing service using a hardcoded API key. This creates a real risk of unintended financial operations, misuse of production credentials, and accidental interaction with live customer billing state during testing.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger conditions are overly broad and based on generic authentication-related terms, which can cause the skill to activate in conversations that merely mention passwords or authentication concepts. In an authentication skill, unintended invocation is more dangerous because it can interrupt sessions, expose auth flows unnecessarily, or enable misuse of recovery/change-password paths at inappropriate times.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Chinese trigger definition is similarly open-ended, matching common terms like '口令', '密码', and '认证' without sufficient scoping. Because this skill governs session access, accidental activation in normal discussion can create denial-of-service-like friction, unintended lockouts, or inappropriate exposure of password recovery functionality.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented trigger conditions are broad enough to activate the authentication skill on ordinary mentions of words like "password" or "auth," which can cause unintended interception of unrelated user requests. In a session-level security module, unexpected activation can disrupt workflows, create denial-of-service-like friction, and potentially expose authentication state transitions or recovery flows in contexts where they were not explicitly requested.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The stub mode prints the recipient email and active recovery code to console and writes the code to a file in the workspace. Because this module stores sensitive auth state under a shared workspace/memory path, the skill context makes this more dangerous: other tools, agents, users, or telemetry systems may read these artifacts and take over the account recovery flow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script collects a recovery email and persists it in both the user data file and the audit log without clearly informing the user that this personal information will be stored locally. This is a privacy and data-handling issue: local disclosure, backup leakage, or unintended access to workspace files could expose the email address and link identity to the account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The charge test issues a real POST request to the billing charge endpoint with live authentication and no confirmation gate, safety prompt, or mock mode. Even if the current dummy user may lack funds, the code path normalizes real charging behavior in a test script and could charge accounts if parameters are changed or reused improperly.

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "bcrypt": "^5.1.1",
    "axios": "^1.6.0"
  },
  "pricing": {
    "type": "paid",
Confidence
90% confidence
Finding
"axios": "^1.6.0"

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
axios==1.6.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal