ClawHub

Architecture Visualization & Governance

Security checks across malware telemetry and agentic risk

Overview

This skill has a real Tencent Cloud Advisor use case, but it also asks for broad cloud authority, can create/delete IAM roles and generate console login links, disables TLS verification in fallback paths, and includes unrelated bulk-publishing guidance for avoiding ClawHub anti-spam controls.

Install only after reviewing the cloud permissions and removing or ignoring the unrelated publishing guide. Use a least-privilege Tencent Cloud subaccount or temporary credentials, avoid storing long-lived AK/SK values in shell startup files, review any role before creation, do not share generated login links, and do not run this in environments where TLS verification might be disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill is presented as a visualization/governance tool but also performs sensitive IAM and local-environment management operations, including role creation, policy attachment, AssumeRole, cleanup, and persistence-related shell guidance. This mismatch can mislead users about the true privilege and system impact of running the skill, increasing the chance of overbroad consent and unsafe execution.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This document is unrelated to the stated architecture visualization/governance purpose and instead provides operational guidance for bulk publishing skills while working around anti-spam defenses introduced after a supply-chain incident. Instructions on throttling, batching, and publication tactics materially facilitate abuse of a distribution platform and indicate suspicious packaging of non-functional content inside the skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The token rotation and batch publishing instructions are not justified by the skill’s declared purpose and are classic anti-abuse circumvention tactics. They enable scaling submissions while reducing detection likelihood, which can be used to flood the platform with spam or malicious packages.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Recommending metadata, permissions, and dependency changes purely to increase content differences for acceptance is especially dangerous because it encourages deceptive package mutation rather than legitimate functional changes. Altering permissions/dependencies to evade similarity detection can introduce unnecessary privileges and supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The README positions the skill as architecture visualization/governance, but it also documents privileged operations such as role creation, environment setup, credential validation, cleanup, and passwordless console access. This scope expansion can cause the agent to activate for security-sensitive account-management actions that users may not expect, increasing the chance of over-privileged behavior or accidental execution of risky workflows.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security section claims AK/SK are not transmitted over the network, yet the skill explicitly performs authenticated Tencent Cloud API requests using those credentials. Even if the raw secret key is not logged or persisted, authenticated requests necessarily use credential-derived material over the network, so the documentation is misleading and may cause unsafe trust assumptions by users or reviewers.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation tells users the role is only for read-only Advisor access, but later creation instructions grant broader `QcloudTAGFullAccess` and `QcloudAdvisorFullAccess` permissions. This violates least privilege and can cause users to approve materially broader access than they were led to expect.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security section claims secrets are never written to files, yet earlier setup instructions explicitly direct users to append `TENCENTCLOUD_SECRET_ID` and `TENCENTCLOUD_SECRET_KEY` to shell profile files such as `~/.bashrc`. Persisting long-lived cloud credentials in plaintext startup files materially increases exposure through local compromise, backups, dotfile syncing, and accidental disclosure.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The module claims it is read-only and does not modify configuration, but it can persist role configuration to a file when it discovers an existing role. Security-relevant misrepresentation is dangerous because users and automation may grant trust or execute the script under false assumptions about side effects.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script is explicitly designed to delete local configuration, cached data, and optionally a cloud CAM role. Those destructive capabilities are not aligned with the stated skill purpose of architecture visualization and governance, which makes the file suspicious and increases the risk of unintended or unauthorized destructive actions being exposed through the skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can delete the cloud CAM role named advisor by calling the Tencent CAM DeleteRole API using ambient credentials from the environment. IAM/CAM role deletion is a high-impact administrative action and is not justified by a visualization/dashboard skill, so its presence materially increases the chance of privilege disruption or destructive misuse.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script creates an IAM role and attaches broad policies (QcloudTAGFullAccess and QcloudAdvisorFullAccess), which is a privileged write action not aligned with a skill advertised primarily for visualization and governance dashboards. In an agent/skill context, hidden or under-disclosed IAM mutation materially increases risk because invocation can change the user's cloud security posture and expand access without a narrowly scoped, auditable consent flow.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The docstring states the script should only run after explicit user consent and must not execute automatically, but the program performs IAM write operations immediately upon invocation with no runtime confirmation gate. This mismatch creates a safety hazard in agentic environments, where a wrapper or automation may invoke the script assuming it is non-destructive or consent-guarded.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
When certifi is unavailable, the script creates an SSL context with hostname checking disabled and certificate verification turned off before sending signed STS requests and handling temporary cloud credentials. This enables man-in-the-middle interception or tampering of credential-bearing traffic, which is especially dangerous because the script generates console login URLs that can grant cloud console access.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The setup script can create a new CAM role and modify IAM/CAM state even though the skill is presented as a visualization/governance tool. In this context, automatic identity and access management changes expand the blast radius of installation and can grant persistent access paths that exceed what users may reasonably expect from a read-oriented architecture dashboard skill.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code attaches broad policies, including full access to the Advisor service and TAG permissions, to a newly created role. For a skill whose purpose is visualization and dashboards, granting full-access policies is excessive and increases the risk of privilege misuse, overreach, or compromise if the role is later abused.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The fallback SSL context explicitly disables certificate validation and hostname verification, which allows a man-in-the-middle attacker to intercept or modify HTTPS traffic. Because this script signs and sends cloud API requests using sensitive credentials, weakening TLS directly exposes API confidentiality and integrity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide tells users to run a batch publishing script and rotate tokens without any warning about account restrictions, policy violations, or credential security. Even if framed operationally, this normalizes unsafe handling of automation and credentials and can lead users to violate platform controls or expose tokens.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Suggesting retries with other tokens encourages unsafe credential practices and tacitly endorses bypassing rate-limit/account protections. This increases the likelihood of account compromise, policy abuse, and attribution evasion during mass publication.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting generation of passwordless console login links without a prominent warning normalizes a highly sensitive capability that grants direct console access. In an agent skill context, this is especially risky because users may invoke it casually, and leaked or misdirected links could enable unauthorized access or privilege misuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document states that enabling Advisor authorization will also enable report interpretation and cloud architecture collaboration permissions, but it does not clearly warn that this action changes account/service authorization state and grants additional capabilities. In an agent skill context, documentation like this can lead users or downstream automation to perform a privilege-affecting operation without informed consent, increasing the risk of unintended authorization expansion.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document requires generation of a passwordless console login link and instructs the agent to present it to the user, but it does not include safeguards such as authorization checks, scope limitations, expiry guidance, masking, or a warning that the link is a sensitive bearer credential. In this context, the link grants direct access to a cloud console resource, so accidental disclosure in chat history, logs, screenshots, or to the wrong recipient could lead to unauthorized access and exposure or modification of architecture data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The fallback path silently disables TLS certificate validation without warning the user, so the script may proceed insecurely in environments missing certifi. Because this code exchanges cloud API credentials and obtains temporary STS tokens used to build passwordless login URLs, an active network attacker could intercept or modify responses with little visibility to the operator.

Missing User Warnings

High
Confidence
99% confidence
Finding
TLS verification is disabled silently, so users receive no indication that their connection is insecure. In this skill's context, the code communicates with Tencent Cloud APIs using secrets and signed requests, making silent TLS downgrade especially dangerous because intercepted traffic could reveal metadata or enable response tampering.

Ssd 4

High
Confidence
99% confidence
Finding
The guide gives a step-by-step playbook to evade anti-spam and anti-abuse controls through throttling, token rotation, staged rollout, and content variation after referencing a prior supply-chain attack. In the context of a skill unrelated to publishing operations, this is strong evidence of distribution abuse enablement and increases the risk of malicious or deceptive mass deployment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal