ClawHub

Ops Hygiene

Security checks across malware telemetry and agentic risk

Overview

This is mostly a defensive maintenance skill, but it needs Review because its heartbeat script can use a stored mail API key to check a fixed inbox the user did not configure.

Install only after reviewing or editing the heartbeat script. Remove or parameterize the hard-coded AgentMail inbox, require explicit opt-in before reading .secrets or checking mail, and supervise recurring runs so memory logs, git reminders, and secret-scan output do not preserve sensitive information unintentionally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to execute shell commands and update local files, but it does not declare any permissions. That creates a trust and review gap: operators may approve or auto-load the skill without understanding that it can write workspace state and invoke scripts that touch secrets, logs, and system health data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The stated purpose is generic maintenance, but the behavior described expands into email access, API-key usage from local secrets, local LLM triage, service monitoring, and automated heartbeat escalation. This mismatch is dangerous because broad, benign-seeming activation criteria can cause the agent to perform sensitive actions in contexts where a user only expected routine hygiene, increasing the chance of unintended data access or secret exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script performs email inbox access and triage even though the stated skill purpose is maintenance and security hygiene. That expands the skill's data-access scope to communications data and creates an unnecessary pathway for sensitive metadata to be processed, including by a secondary service via Reef triage.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation language is very broad and can match many routine maintenance, audit, or security-posture requests. In this skill's context, that is more dangerous because activation may pull in procedures that run shell scripts, read memory/state files, inspect secrets, and potentially access email-related workflows without a narrowly scoped user request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script extracts an AgentMail API key directly from a secrets file and uses it without any user-facing disclosure or consent boundary. Secret use for unrelated mailbox access increases the chance of unauthorized data access and normalizes hidden credential consumption inside a routine maintenance workflow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends triage prompts to a local HTTP service without clear disclosure, creating undisclosed network transmission of operational or email-related metadata. Even though the destination is localhost, local services may be untrusted, compromised, or bridged to other systems, so the hidden transfer still presents data-exposure risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal