ClawHub

VPS Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a coherent VPS self-healing tool, but it gives an agent broad unattended root-level power to alter a live server with inconsistent approval safeguards.

Install only if you deliberately want a root-level autonomous remediation tool. Review the code, avoid the unpinned sudo curl install path, run dry-run first on a noncritical host, keep cron or daemon mode disabled until thresholds and whitelists are tuned, and treat firewall/security actions as potentially disruptive despite the approval language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
size_mb *= 1024
                        if size_mb > cfg["journal_max_size_mb"]:
                            if not dry_run:
                                subprocess.run(
                                    ["journalctl", "--vacuum-size=f{cfg['journal_max_size_mb']}M"],
                                    timeout=30, capture_output=True
                                )
Confidence
93% confidence
Finding
subprocess.run( ["journalctl", "--vacuum-size=f{cfg['journal_max_size_mb']}M"], timeout=30, capt

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents privileged shell actions that read and write system files and execute remediation commands, but it does not declare permissions up front. This creates a transparency and consent failure: users may install or invoke a highly privileged skill without realizing it can kill processes, restart services, modify firewall state, and alter filesystem contents.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation says security actions require approval, but the example log shows automatic IP blocking after SSH failures. This contradiction is dangerous because operators may rely on approval gating that does not actually exist, leading to unintended firewall changes, lockouts, or disruption of legitimate access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This skill can autonomously modify firewall policy by inserting iptables DROP rules, which is a sensitive security-control change with potential to deny legitimate access. In the context of an autonomous VPS agent, this is more dangerous because it acts without interactive confirmation and may lock out operators or users based on log-derived heuristics.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The docstring states that blocking requires approval, but the implementation will auto-block when auto_block=true. That mismatch is dangerous because operators may deploy the tool under a false understanding of its behavior, leading to unexpected network denial, self-lockout, or blocking of benign sources.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill strongly promotes autonomous destructive actions—killing processes, truncating logs, dropping caches, changing permissions, and restarting services—without a prominent upfront warning about outage, data loss, or access disruption. In a root-level VPS management context, understated risk increases the chance of unsafe deployment and accidental self-inflicted denial of service.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The language emphasizes automatic action over human approval and frames autonomy as the default, which can normalize unsafe operation of a privileged remediation tool. In context, this increases the likelihood that users run it unattended with root access before tuning thresholds, allowlists, or approval gates.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly markets the skill as taking autonomous corrective actions such as killing processes, freeing disk, restarting services, and hardening security, but provides no warning that these actions may be destructive or alter a live system. In the context of an agent skill, this increases the chance that users invoke powerful system-changing behavior without informed consent, which can lead to service disruption, data loss, or unsafe remediation on production hosts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The agent autonomously sends SIGTERM and SIGKILL to processes it classifies as runaway based on a flawed lifetime-average CPU calculation. In a privileged self-healing tool, this can kill legitimate workloads or critical business processes, causing service disruption or data loss without operator review.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The disk cleanup routine deletes files from /tmp and performs other space-reclamation actions automatically, which can remove application data, temporary state, or files still expected by running services. In an autonomous admin agent, destructive cleanup without explicit warnings or safeguards increases the likelihood of availability issues and accidental data loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Writing to /proc/sys/vm/drop_caches triggers a global kernel cache drop, which can degrade performance significantly and affect unrelated workloads. Because this is done automatically by a privileged agent, it can cause broad system impact without clear operator consent or context-aware safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatic firewall rule insertion based on parsed auth logs can block benign IPs, lock out administrators, or create persistent denial of access. In this skill's context, the danger is elevated because the tool is explicitly designed to act autonomously on a production VPS.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
### 4. Security Hardening
- Detects unexpected listening ports (diffs against baseline)
- Identifies brute-force SSH attempts (fail2ban integration)
- Flags world-writable files in /etc, /root
- Checks for suspicious processes (crypto miners, reverse shells)
- **Action**: Blocks IPs via iptables, chmods files, kills suspicious processes
- Never auto-blocks — always requires approval (prevents lockout)
Confidence
82% confidence
Finding
world-writable

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal