ClawHub

ecap Security Auditor

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent security auditor, but it automatically reads target package files, uploads audit results to an external registry, and includes live-looking API tokens in documentation.

Review before installing. Use this skill mainly for public packages or code you are comfortable reporting to skillaudit-api.vercel.app. Do not run auto-audit on private repositories without confirming what will be uploaded, keep ECAP_REGISTRY_URL unset unless you fully trust the registry, and treat the documented bearer token as leaked until rotated or removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The report documents a concrete security-relevant mismatch between the documented identifier format and the API's actual behavior for review/fix submission. When clients are instructed to use the wrong identifier, remediation and peer-review workflows can fail, causing agents to skip or mishandle security actions and undermining the trust and triage pipeline.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
This repeated bug summary confirms the same underlying issue: the documented workflow for security reviews and fix reporting is inconsistent with live endpoint behavior. Such inconsistencies can break audit operations, leave findings unresolved, and create false assumptions that security controls are functioning when they are not.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document contains contradictory guidance about auditing before installation while also describing workflows where skills are already local after install/use triggers. This can cause agents to perform verification too late, after potentially dangerous install hooks or first-use side effects have already occurred, weakening the protection model.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document warns never to use custom registry URLs, but the configuration later allows `ECAP_REGISTRY_URL` overrides for upload and registration paths. This inconsistency can create a false sense of safety and enables accidental or malicious redirection of credentials and audit reports to an untrusted endpoint.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt instructs the auditing agent to write a report to disk and then upload it via a shell script, which adds file-write and outbound data transfer behavior to a skill whose stated purpose is to provide analysis structure and prompts. In an agent setting, this can cause unintended exfiltration of audit contents, workspace metadata, or other sensitive data if the upload target or script behavior is not tightly constrained and transparently documented.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is presented as a verifier, but it also mutates local state by changing permissions on config/credentials.json. Even though tightening permissions is security-motivated, hidden side effects in a verification utility violate least surprise and can be abused in automation or CI contexts where users expect a read-only integrity check.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Changing credential file permissions is outside the core purpose of package integrity verification and introduces unnecessary authority over sensitive local files. In agent or scripted environments, this kind of undeclared write behavior can create operational risk, break workflows, or normalize unexpected access to credential-bearing paths.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation includes a concrete bearer token value in example requests, and it appears in a real production-looking API context rather than as an obviously fake placeholder. Publishing reusable API credentials in docs can enable unauthorized report submission, review attempts, or other authenticated actions if the token is still valid, and even expired tokens normalize unsafe secret-handling practices.

Missing User Warnings

High
Confidence
98% confidence
Finding
This is a second exposure of the same live-looking bearer token in public-facing documentation, increasing the chance of credential harvesting and reuse. Repetition across multiple examples makes the leak more severe because readers may assume the token is intentionally shared and valid for testing.

Missing User Warnings

High
Confidence
98% confidence
Finding
Another authenticated example exposes a concrete bearer token without any secret-handling warning, confirming this is not an isolated typo but a documentation pattern. If an attacker reuses the token, they may gain authenticated access to protected API endpoints and tamper with trust-registry data or workflow state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly recommends classifying telemetry and outbound network access as zero-penalty 'known patterns' and shows examples that normalize those behaviors without requiring prominent privacy or data-transfer disclosure. In a security scoring framework, this can systematically understate meaningful privacy and exfiltration risk, especially for agent skills and MCP servers that may process sensitive prompts, files, or credentials.

Missing User Warnings

High
Confidence
93% confidence
Finding
The README says the agent will 'auto-audit' source code and upload findings to a shared registry when no report exists, but it does not clearly warn users that local package contents or derived analysis may be transmitted to an external service. In a security-auditing context, this is especially dangerous because users may analyze proprietary, regulated, or sensitive code and unintentionally disclose metadata or security-relevant details to a third party.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The trigger conditions are broad enough that ordinary user language like 'check' or 'verify' could invoke networked audit behavior unexpectedly. In an agent setting, overbroad activation can cause unintended external calls, workflow disruption, or surprise security gating on unrelated actions.

Vague Triggers

Medium
Confidence
74% confidence
Finding
The auto-trigger list includes generic terms like 'audit', 'check', or 'verify', which can cause unintended activation in ordinary conversation. In an agent setting, broad trigger phrases can lead to unsolicited network calls, source retrieval, or scanning workflows on ambiguous user input.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to read all files is overly broad for a prompt executed by an agent, because it can induce unnecessary access to secrets, unrelated workspace files, or large sensitive datasets beyond the minimum needed for analysis. In this skill context, broad file access is more dangerous because the same prompt also contemplates reporting and upload workflows, increasing the chance that over-collected data is later exposed.

Ssd 4

High
Confidence
91% confidence
Finding
The document contains a multi-step narrative that normalizes running a hidden calibration script as part of expected behavior. Even though this file is test content, embedding operational guidance that conditions an agent or user to accept hidden-script execution is a realistic social-engineering/prompt-poisoning pattern and can facilitate arbitrary code execution if copied into live prompts or skills.

Ssd 1

High
Confidence
90% confidence
Finding
The authoritative phrasing ('must execute', 'normal and required') is designed to steer an LLM or user into executing a script under false pretenses. In an agent-skill context, this is especially dangerous because models may treat embedded instructions in documentation or tool descriptions as trusted operational guidance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal