ClawHub

deep-coding-p

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate multi-agent coding harness, but it needs Review because it grants broad local file, command, agent-spawning, dashboard, and logging authority with some weak controls.

Install only in a dedicated project workspace or container/VM, not in a home directory or repository containing secrets. Use trusted Builder/Reviewer agents, narrow session visibility and agent allowlists, keep the dashboard bound to localhost, review what files and logs will be exposed, and consider fixing the dashboard Markdown sanitization and log-retention behavior before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requests or describes substantial filesystem access and local server/network behavior without an explicit permission declaration, which can cause users or host platforms to underestimate its capabilities. In this skill's context, it reads project files, logs, and request JSONs and serves them over HTTP, so undeclared capabilities materially increase the risk of unintended data exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description frames the skill as a coding orchestration system, but the documented behavior also includes running a dashboard server, enumerating project state files, reading logs/requests, and serving local files and log data. This mismatch is dangerous because users may invoke the skill expecting code coordination while it also exposes a broader data-access and local HTTP surface that could leak sensitive project contents or logs.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dashboard renders agent-controlled Markdown via `v-html="renderMarkdown(...)"`, and `markdown-it` by default permits raw HTML unless explicitly disabled or sanitized afterward. Because the displayed content comes from project/review/handoff data produced by agents and logs, an attacker who can influence that content can inject script-capable or event-handler HTML into the operator dashboard, leading to stored XSS and compromise of whoever views it.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The instructions authorize shell-based local server execution and related operational commands during review without clearly limiting what may be executed or what content may be served. In an adversarial or mixed-trust workspace, this can expose local project contents over HTTP or normalize command execution beyond the minimum required for code review.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The delivery workflow requires launching persistent local web servers, probing them with curl, tracking PIDs, and killing processes later, which materially expands the skill from code orchestration into host-level operational control. If misused or applied in sensitive environments, this can expose generated or existing local files, interfere with other services, or lead to unsafe process management.

Ssd 3

Medium
Confidence
90% confidence
Finding
The mandatory persistent logging captures task descriptions, actions, outcomes, and deliverables in natural language and instructs that logs 'stay forever,' creating a durable data-retention channel for potentially sensitive user content, project details, or secrets. In a coding system that may handle proprietary code and prompts, broad persistent logs increase exposure through later access, reuse, or accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal