ClawHub

errorlens

Security checks across malware telemetry and agentic risk

Overview

ErrorLens is a local code-scanning skill with documented optional repo changes for hooks and baselines, and I found no hidden telemetry, exfiltration, or destructive behavior.

Use this for local error-handling scans if you trust the bundled scripts. Review before running `hook install`, because it changes repo hook behavior for future commits, and run `baseline` only when you intentionally want existing findings suppressed by a repo-local baseline file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill declares shell execution and file-writing behavior in its documented commands and hook installation flow, but does not declare corresponding permissions. That creates a transparency and consent problem: users may invoke what appears to be a passive analyzer while the skill can modify repository state and execute local commands. In an agent ecosystem, undeclared capabilities increase the risk of unexpected side effects or abuse if the script content changes or is compromised.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The top-level description frames the skill as a code analyzer, but the documented behavior extends into licensing, git hook installation, watch/CI orchestration, baseline suppression, and status/config handling. This mismatch can mislead users and higher-level agents about the operational scope, causing them to approve or invoke the skill in contexts where side effects, persistence, or policy-relevant behavior were not expected. The risk is amplified because some of these actions modify repository state or affect future commits.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
Baseline mode writes .errorlens-baseline.json into the target repository, which is a state-changing action in a tool presented primarily as an analyzer. In security-sensitive or automated contexts, unexpected writes can alter repository contents, affect future scan visibility by suppressing findings, and create integrity/trust issues if invoked without clear user intent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as an analyzer, but it also installs and removes git hooks, which changes repository behavior and expands its operational scope beyond passive analysis. In agent environments, this creates persistence-like behavior and can surprise users by altering commit workflows in ways not implied by the core scanning description.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The hook installation logic writes or appends to repository configuration and causes future commits to execute skill-controlled code from a path that can be overridden via ERRORLENS_SKILL_DIR. This is dangerous because an analyzer should not silently gain recurring execution inside developer workflows, and the environment-controlled path increases the risk of unintended or malicious code being sourced later.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The uninstall path rewrites repository configuration using broad text processing, which can delete or corrupt unrelated sections if the file format or matching assumptions differ. An analysis tool should not make destructive configuration edits without strong safeguards, backups, or user approval.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation examples are broad and overlap with common code-review and safety-audit requests, without strong routing constraints. In an agent setting, this can cause over-triggering of the skill on ordinary prompts, leading to unnecessary shell execution, scanning of large codebases, or unintended file modifications if the agent chooses related commands like hook or baseline workflows. Broad activation surfaces are a security concern when a skill has side effects beyond pure analysis.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The baseline function writes a suppression file immediately, without any confirmation in the function itself, making it easy to persistently hide existing findings by mistake. In practice this can weaken future analysis by normalizing or concealing known issues, especially in CI or shared repositories where users may not realize scan output is being modified.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code modifies repository configuration immediately, with no confirmation prompt or dry-run, which increases the chance of unintended changes in user repositories. In a CLI skill context, silent config mutation is risky because users may invoke it expecting analysis, not persistent workflow alteration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The uninstall routine rewrites lefthook.yml without prior warning, backup, or validation, so a user can lose configuration unexpectedly. This is especially risky because the removal logic uses pattern-based text deletion rather than structured parsing, making accidental damage more likely.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal