ClawHub

Architecture Inventory & Risk Assessment

Security checks across malware telemetry and agentic risk

Overview

The skill has real Tencent Cloud Advisor functionality, but it also contains unrelated bulk-publishing anti-spam guidance and high-impact cloud access features that need review before installation.

Install only if you trust the publisher and intentionally want Tencent Cloud Advisor access plus console-login and CAM role setup features. Review the broad policies, avoid long-lived AK/SK where possible, remove unrelated publishing files, and do not use the login/API scripts unless TLS verification is fixed and each cloud write action is explicitly approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (40)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill's declared purpose is read-oriented architecture inventory and risk assessment, but the documentation also instructs the agent to perform privileged write actions such as creating/deleting CAM roles, attaching policies, enabling services, generating console SSO links, and modifying persistent local shell configuration. This broad behavioral expansion increases the chance that a user or orchestrator authorizes destructive or privilege-changing operations under the guise of a reporting tool.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file content is unrelated to the stated skill purpose of cloud architecture inventory and risk assessment, and instead provides operational guidance for bulk publishing skills while avoiding platform anti-spam controls. Such a mismatch is a strong supply-chain red flag because it suggests the package may be disguising republishing or abuse tooling inside an apparently benign skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide explicitly recommends token rotation, pacing, and content variation to continue mass publishing despite anti-spam protections. These instructions facilitate evasion of platform abuse controls and could be used to scale malicious or deceptive skill distribution, increasing supply-chain risk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file content is fundamentally inconsistent with the declared skill purpose: it documents bulk publishing automation, token usage, retry logic, and anti-spam evasion measures instead of architecture inventory or risk assessment behavior. This kind of scope mismatch is dangerous because it can hide undeclared operational capabilities and induce users or agents to run unrelated publishing scripts under the guise of a benign cloud-governance skill.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Bulk skill publishing is not justified by the manifest for an architecture inventory and risk assessment tool, and the guide explicitly describes automation for publishing many skills, token rotation, and throttling to avoid anti-spam controls. In context, this materially increases risk because the documented functionality could be used to mass-deploy unreviewed content or abuse platform publishing workflows while masquerading as a benign assessment skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README presents the skill as an architecture inventory and risk assessment tool, but it also advertises passwordless console login generation and role-management capabilities. This scope expansion materially changes the trust and access profile of the skill, because users may install a read-oriented assessment tool without realizing it can facilitate privileged access workflows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
Documenting role creation, setup, and cleanup scripts in a skill framed as assessment/inventory indicates capability creep beyond a read-only governance function. In an agent context, hidden or under-disclosed write/admin operations are dangerous because they can be socially triggered by natural-language prompts and may change cloud IAM state or remove configuration.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The security section claims AK/SK credentials are not transmitted over the network, yet authenticated Tencent Cloud API requests necessarily use those secrets or derived signatures to authorize remote calls. Misstating credential handling is dangerous because it can mislead users into underestimating exposure, trust the skill more than warranted, and make poor decisions about where to run it.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation inconsistently describes the role policy as read-only in one place while later proposing broader full-access style permissions, including TAG full access and Advisor full access. This can mislead users into consenting to a more privileged role than intended, undermining informed approval and least-privilege controls.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file claims only the dedicated create_role script performs IAM writes, but the documented workflow also includes other write or sensitive actions such as CreateAdvisorAuthorization and cleanup-based role deletion. Misstating where write actions occur can cause operators to underestimate risk and permit automation paths that modify cloud state unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented API does more than inventory or assess architecture risk: it grants Advisor authorization and explicitly also enables report interpretation and cloud architecture collaboration permissions. In a skill framed as read-only inventory and risk assessment, exposing a permission-enabling action expands privileges and can lead to unintended account capability changes if invoked by an agent or user without clear consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
A permission-granting capability is not justified by the stated purpose of an architecture inventory/risk assessment skill, which should primarily read configuration and evaluate posture. Including such an action increases the chance of privilege expansion or unintended state changes, especially if the skill is used in automated workflows where users expect non-invasive assessment behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file is substantially unrelated to the stated skill purpose of architecture inventory and risk assessment; it is a generic Tencent Cloud API signing and request-construction manual. This mismatch broadens the skill's apparent operational scope toward authenticated cloud API access, which can enable unnecessary credential handling and outbound request capabilities beyond the declared function.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill description says it inventories architectures and assesses risk, but this code writes persistent local configuration containing account and role metadata. Even if not directly credential-stealing, performing stateful account setup side effects outside the declared scope undermines user consent and expands the trust boundary of the skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This section discovers, validates, and enables passwordless console-login role usage, which is materially more sensitive than architecture inventory. In skill context, hidden identity and access management capability is especially dangerous because it can facilitate console access workflows not advertised to the user.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Invoking an external CLI for version inspection is not clearly justified by the stated purpose of architecture assessment, and it introduces an unnecessary dependency on whatever clawhub binary is found in the user's PATH. In this context, extra execution of external tools increases supply-chain and environment-manipulation risk beyond the skill's core function.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The docstring claims the script is read-only and does not modify configuration, but the code later saves role configuration to disk when it finds an eligible role. Misrepresenting side effects is a security issue because it defeats informed consent and may cause users to run code they would otherwise reject.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation instructs the skill to generate passwordless console login links for architecture items, which expands the skill from read-only inventory into privileged console access brokering. In a security assessment skill, this is dangerous because it can grant direct access paths to cloud resources or management interfaces without clear necessity, user re-authentication, or scope controls, increasing the risk of unauthorized access or phishing-style link delivery.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements destructive cleanup behavior, including deleting local configuration, cache files, and optionally a cloud CAM role, which does not align with an architecture inventory/risk-assessment skill. In an assessment-oriented skill, unexpected deletion capabilities expand the blast radius from read-only analysis to irreversible modification, creating a dangerous mismatch between stated purpose and actual behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script enumerates Tencent Cloud credential-related environment variables and generates scripts to unset them, which is unrelated to inventory and risk assessment. While framed as cleanup, this capability touches sensitive credential material and can disrupt operator environments or interfere with other tools, making it an unjustified and risky behavior in this skill context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function can delete a remote CAM role using available credentials, which is a state-changing cloud action unrelated to architecture inventory or Well-Architected assessment. In this skill context, such functionality is especially dangerous because users would reasonably expect analysis, not privileged destructive modification of IAM resources.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script creates a CAM role, enables console login, and attaches broad managed policies, which materially expands privileges in the Tencent Cloud account. For a skill described as architecture inventory and risk assessment, performing IAM write operations is unnecessary and increases the blast radius if the skill is invoked with valid credentials.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header warns that IAM write actions should only run with explicit user consent, but the code performs them immediately whenever the script is executed. This mismatch makes accidental privilege-changing operations more likely, especially in agentic or automated environments where scripts may be run non-interactively.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads long-lived Tencent Cloud credentials from environment variables, assumes a role, and generates console login URLs that provide direct authenticated access to the cloud console. For an architecture inventory and risk assessment skill, this capability is broader than necessary and materially increases abuse potential if the script is invoked with attacker-chosen targets or in a compromised agent environment.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
When certifi is unavailable, the fallback SSL context disables hostname verification and certificate validation entirely. That allows man-in-the-middle interception of STS requests and responses, exposing secret credentials or returning attacker-controlled temporary credentials and login URLs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal