ClawHub

Bud Health Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly disclosed as a health monitor with auto-fix behavior, but its fix mode can kill unrelated processes and change kernel cache settings without confirmation.

Install only if you intentionally want a Raspberry Pi/home-server tool that can take active remediation actions. Use status/json/watch freely for reporting, but treat fix as disruptive: it may kill legitimate applications or services and may attempt privileged kernel cache changes. Avoid unattended cron-based fix runs unless you have reviewed and narrowed the process-kill rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents shell execution, file access, and state/log writing while declaring no explicit permissions, creating a capability/permission gap that can bypass user expectations and platform controls. In this context, the gap is more dangerous because the documented behavior includes process termination and privileged cache dropping via a dependency on sudo-tool, so undeclared capabilities could be used for disruptive system actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill’s stated purpose is health monitoring, but the documented behavior expands into active remediation such as killing processes and writing to /proc/sys/vm/drop_caches, which materially changes the risk profile. This mismatch is dangerous because users may invoke a seemingly diagnostic skill without appreciating that it can disrupt workloads, and the omitted or inaccurate claims about service/temperature monitoring further undermine informed consent and safe deployment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill automatically terminates processes based on simplistic RAM heuristics and a fragile substring allowlist, which can kill legitimate user or service workloads outside the justified scope of monitoring. In an agent context, this creates an unsafe remediation capability that can cause denial of service, data loss, and disruption of unrelated applications.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Writing to /proc/sys/vm/drop_caches changes kernel memory-management behavior and requires elevated privileges, which exceeds the expectation of a health-monitoring skill. Triggering privileged system tuning from a general-purpose agent increases the risk of misuse, instability, and unintended interference with normal system operation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-fix section describes destructive remediation—terminating processes and forcing kernel cache drops—without a prominent warning that these actions can interrupt services, kill important applications, or cause data loss if processes are not shut down cleanly. In a Raspberry Pi or home server environment, automated invocation via cron makes this especially risky because the actions may occur unattended during normal workloads.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description uses broad wording such as monitoring system health and auto-detecting issues, which can match common operational requests and cause the skill to activate in situations where the user only wanted status information. Because this skill also includes auto-fix behavior with process killing and privileged cache dropping, overly broad activation increases the chance of unintended disruptive actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The auto-fix path performs destructive remediation—killing processes and dropping caches—without prior warning, approval, or a dry-run mode. In an autonomous or semi-autonomous agent setting, lack of informed consent materially increases the likelihood of harmful actions being taken on the user's system.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal