ClawHub

AgentAudit

Security checks across malware telemetry and agentic risk

Overview

AgentAudit is a real security-gate tool, but it also persists and ships API credentials and can upload detailed audit reports to a remote registry, which users should review before installing.

Install only if you are comfortable registering with agentaudit.dev, storing an API key locally, and potentially sending audit reports containing package metadata and code snippets to the AgentAudit registry. Avoid using it on private/proprietary packages unless uploads are explicitly disabled and verified, and replace or remove the bundled credentials before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares itself as a simple pre-install security gate, but the documentation clearly instructs use of network access and shell execution for registration, gate checks, uploads, cloning, and verification. Undeclared powerful capabilities reduce transparency and make it easier to smuggle broader behavior into an environment that may authorize the skill based on its stated purpose alone.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
There is a substantial mismatch between the stated purpose ('checks packages before installation') and the documented behaviors, which include credential handling, report uploads, key rotation, repository cloning, and local integration steps. This kind of scope expansion is dangerous because users and agents may trust and invoke the skill under a narrower security model than the skill actually requires.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as a pre-install gate, but the workflow also directs agents to perform full source audits and submit reports to a remote service. That additional data-handling and outbound network behavior materially changes the trust boundary and can lead to unexpected exfiltration of code metadata or findings.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented setup includes registration, API key management, leaderboard participation, and reporting features that are not necessary for a local pre-install safety check. Expanding scope beyond the declared purpose increases the chance that sensitive operations are performed under misleading expectations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
For a package-install gate, local storage and rotation of API keys is an unnecessary sensitive capability that introduces credential exposure risk. Any compromise of the skill, its storage locations, or related scripts could leak or misuse credentials for the remote service.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The installer performs agent registration behavior that is broader than the stated purpose of a package-vulnerability gate. Even if intended as product onboarding, silently invoking registration expands data flow and trust assumptions beyond what a user would expect from a local security-checking skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automatic agent registration is not necessary for a basic package-vulnerability checker and introduces unnecessary external communication plus identity creation. In this skill context, that mismatch increases concern because users expect a defensive utility, not account or agent enrollment side effects.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The installer modifies Claude Code configuration by creating a persistent symlinked integration, which exceeds a simple package-checking operation. While likely convenience-driven, changing user tool configuration without an explicit prompt can create unwanted persistence and trust expansion.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata promises a narrow pre-install vulnerability-database gate, but the prompt actually defines a full manual-style source-code and malware audit workflow. This mismatch can cause the agent to read far more package content and perform broader analysis and reporting actions than the user or integrator would reasonably expect, which is a genuine scope/deception issue.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The prompt instructs saving JSON and uploading audit results via an external script, which is an outbound action not justified by a simple local pre-install vulnerability gate. In skill context, unsolicited result upload increases data-handling risk because audit outputs may contain sensitive code excerpts, file paths, or package metadata.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The prompt directs the agent to read all files in the target package and perform broad behavioral malware hunting, which exceeds the stated purpose of checking packages against a vulnerability database before installation. This over-collection expands trust boundaries and may expose unrelated source contents to the model and downstream reporting paths.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The prompt branding as a general security audit conflicts with the narrower manifest claim of automatic vulnerability-database checking. That documentation mismatch is security-relevant because users may approve this skill under a lower-risk assumption than the workflow actually requires.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The prompt instructs the agent to fetch findings from a remote API and submit review verdicts back to that service, which materially exceeds the declared purpose of a package vulnerability gate used before package installation. This mismatch creates an undeclared data egress and task-expansion channel: an operator may invoke the skill expecting passive package checks, while the skill can instead perform authenticated remote review actions using available credentials.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This section explicitly enables sending reviewer verdicts and reasoning to an external service, a capability not justified by the skill’s stated role of checking packages against a vulnerability database prior to installation. Even if the destination is legitimate, hidden write-back behavior can leak analyst judgments, consume privileged API keys, and cause unintended external side effects.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented API exposes substantially broader capabilities than the skill's stated purpose of acting as a pre-installation package security gate. Registration, report upload, peer review, fix reporting, leaderboard, and agent profiling expand the skill into a general networked reporting platform, increasing attack surface, data-sharing scope, and the chance that an agent using this skill performs unintended external actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Peer review, fix submission, leaderboard, and agent-profile features are unrelated to a narrowly scoped install-time safety gate and suggest scope creep beyond the declared function. In an agent context, unjustified capabilities are dangerous because they can be invoked to transmit data, modify external records, or establish persistent identity without a clear user need.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script performs agent registration and persists an API key to disk, which is outside the narrowly stated purpose of a package-vulnerability gate. While registration may be part of the product design, persisting credentials in both the skill directory and a user-level config creates additional sensitive state and expands the attack surface if the skill is installed in shared or less-trusted locations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script registers the host with an external service and persists an API key, which is materially different from the declared purpose of a package-vulnerability gate. In a security tool, undisclosed account registration and credential storage expands trust boundaries and can enable tracking, remote dependency, and future authenticated data exchange without clear user justification.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script creates and stores long-lived credentials in both skill-local and user-level locations even though the stated purpose is only to check packages against a vulnerability database. This hidden capability increases exposure if the host is shared or later compromised, and it gives the skill persistent access beyond a one-time package check.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file header explicitly says the script registers for an API key and saves credentials, which conflicts with the skill description about package vetting. In security-sensitive tooling, this kind of capability mismatch is dangerous because users may grant trust based on the advertised purpose while the code performs additional identity and credential operations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script implements API key rotation and credential storage, which is outside the declared purpose of a package-vulnerability gate. That mismatch is dangerous because it expands the skill's privilege surface to sensitive credential management, enabling secret exposure or unauthorized account control if the skill is installed or invoked in an untrusted context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code loads an API key from local credentials or environment and persists replacement credentials back to disk in two locations. For a skill advertised only as checking package safety before install, this unjustified access to authentication material creates unnecessary secret-handling risk and could be abused to overwrite, exfiltrate, or misuse credentials.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script's behavior materially differs from the skill's stated purpose: instead of only checking packages before installation, it loads local credentials and uploads structured reports to a remote service. In a security-gating skill, undisclosed outbound submission increases risk because users may run it in trusted workflows and unintentionally transmit sensitive audit data or metadata off-host.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The script uploads locally produced scan reports to a remote service, which materially exceeds the narrowly described skill purpose of checking packages against a vulnerability database before installation. In a security-gate context, outbound publication can leak package names, repository URLs, findings, and metadata about private code or internal dependencies to a third party, creating a confidentiality and trust-boundary risk.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script loads an API key and uses it to authenticate report uploads to an external registry, introducing credential handling and authenticated outbound actions not justified by the stated pre-install checking function. Even if the key is handled normally, this expands the privilege surface and can enable unauthorized publication or exposure of sensitive audit data if the environment is not expecting networked write operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal