ClawHub

python-code-analyz

Security checks across malware telemetry and agentic risk

Overview

This is a local Python code-analysis skill with scanner hits that match examples or detection rules rather than hidden harmful behavior.

Install only if you are comfortable with an unverified publisher and placeholder source links. Run it on code you intentionally want analyzed, review any generated fixes before applying them, and avoid running the publishing helper unless you deliberately want to publish using your ClawHub account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation text says users can 'directly paste code' whenever they need code analysis, which is broad enough to trigger on generic requests and may cause the skill to engage outside an explicitly scoped or consented context. In an agent setting, overly broad activation can lead to unintended handling of sensitive source code or replacement of more appropriate workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill promises '可直接使用代码' (directly usable code), which encourages users or downstream agents to apply generated patches without review. Automatically trusted rewrites can introduce logic errors, security regressions, or unsafe behavior if the generated output is wrong or incomplete.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The script writes sample code to a fixed path under /tmp, which can be risky because /tmp is a shared world-writable location on many systems. While this example appears benign, predictable temporary filenames can enable symlink or file-clobbering issues if the script runs with elevated privileges or in a multi-user environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal