ClawHub

Skill Installer

Security checks across malware telemetry and agentic risk

Overview

This is a real skill installer, but it can overwrite local skills and run unsafe shell commands from user-provided input.

Review before installing. Use only in a disposable or backed-up skills environment, edit the hard-coded skills path first, pass only simple trusted skill names, and prefer an official scoped installer flow when possible. Do not rely on this package to safely preserve existing skills or verify downloaded skill archives.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer fallback executes `npx clawhub install ... --force` through a shell, which delegates installation to external package tooling and may fetch and execute untrusted code. In a skill installer, this materially increases attack surface because the script already downloads and manipulates filesystem content, so a compromised package, argument injection, or malicious dependency chain can lead to arbitrary code execution.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation describes downloading, extracting, moving, and force-reinstalling skills into the user's skills directory, but it does not clearly warn that existing files may be overwritten or modified. This is dangerous because users may execute install or force options without understanding the risk of data loss, unintended replacement of trusted skills, or corruption of their local environment.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`execSync(`npx clawhub search ${query} 2>&1`)` interpolates user-controlled input directly into a shell command, creating a command injection path. A crafted search term containing shell metacharacters could execute arbitrary commands on the host running the installer.

Missing User Warnings

High
Confidence
95% confidence
Finding
The installer deletes existing directories and unzips/downloads remote content before moving it into the skills directory, all without authenticity verification or user confirmation. This combination makes the operation dangerous because a malicious archive or tampered download can overwrite trusted content, and the forced CLI fallback further expands the chance of arbitrary code execution or destructive changes.

Self-Modification

High
Category
Rogue Agent
Content
### Force Reinstall

Overwrite existing skill:

```bash
node install.cjs install todoist --force
Confidence
91% confidence
Finding
Overwrite existing skill

VirusTotal

No VirusTotal findings

View on VirusTotal