ClawHub

configsafe

Security checks across malware telemetry and agentic risk

Overview

ConfigSafe is mostly a disclosed local configuration scanner, but its license handling can run code from crafted license content and its hook feature persistently changes Git hook configuration.

Install only if you trust the publisher and the source of any license key. Avoid pasting license tokens from untrusted channels, and review the hook install behavior before using it because it changes repository hook configuration and runs automatically on future commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and invokes shell execution (`bash .../scripts/configsafe.sh`) and also makes network-related claims via a homepage/renewal URL, install metadata using Homebrew, and license-handling behavior, yet no explicit permissions are declared. This creates a transparency and trust problem: users and policy engines cannot accurately assess or constrain the skill's capabilities before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The top-level description says the skill audits infrastructure configuration files, but the body also describes modifying local repositories via git hook installation, reading user config files for license keys and policies, tier-gated behavior, and broader reporting/compliance functions. This mismatch can mislead users into granting trust to what appears to be a read-only scanner when it can also change local state and access sensitive local configuration.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill is presented as a configuration auditor, but it includes commands that modify repository state by installing and removing Git hooks and editing lefthook.yml. This expands the trust boundary from read-only analysis into persistent code execution on future commits, which can surprise users and create a supply-chain foothold if the skill or referenced scripts are later changed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Hook installation appends to or creates repository configuration without a clear pre-action warning that files in the repo will be modified. Because Git hooks execute automatically during developer workflows, silently adding them can change behavior in a persistent and security-relevant way beyond a normal one-shot scan.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Hook uninstallation rewrites lefthook.yml using broad text processing without clearly warning the user that repository configuration will be destructively edited. This can remove or corrupt unrelated hook content, causing integrity and workflow issues in the repository.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal