ClawHub
Back to skill

Security audit

Cuihua Code Reviewer

Security checks across malware telemetry and agentic risk

Overview

This is a local code-review skill whose risky-looking code is mostly detection patterns, examples, and intentionally vulnerable fixtures, but users should treat reports as sensitive before sharing them.

Install only if you are comfortable letting it read the files or directories you ask it to review. Keep generated reports private unless you have reviewed them for secrets and sensitive code, and use Slack, email, GitHub, cron, pre-commit, or API server examples only with explicit team approval and appropriate redaction/security controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The examples expand a review-only skill into automatic code modification by offering to apply fixes and update files. That broadens the operational scope from analysis to mutation, which increases the chance of unsafe or unintended edits and can mislead users and integrators about the skill's actual trust boundary.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The Slack example adds outbound notification behavior that is not part of a narrowly scoped local code-review function. Review output can contain sensitive source code, findings, file paths, or secrets, so documenting silent exfiltration to a webhook materially changes the data exposure risk of the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
Presenting the skill as a networked HTTP API server changes it from a local analyzer into a service that accepts remote input and processes untrusted code. This significantly broadens attack surface and operational expectations beyond a simple code-review assistant.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The Slack webhook example introduces outbound network transmission unrelated to the minimum functionality needed for local code review. Because review reports may embed proprietary code or security findings, this creates a realistic exfiltration channel if copied into real workflows without safeguards.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Express server example turns the analyzer into a network-facing service, enabling untrusted remote submissions and creating exposure to denial-of-service, abuse, and data handling risks. This is an unjustified capability expansion unless the skill is explicitly designed and secured as a service.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The report materially misrepresents evidence for a claimed high-severity eval finding by showing only a comment instead of executable code. In a code-review skill, inaccurate or fabricated evidence can mislead users into trusting incorrect security assessments, causing bad remediation decisions and weakening the integrity of the review process.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
These repeated low-severity findings claim 'Regex Compiled in Loop' but the snippets are comments, TODOs, and issue markers that do not demonstrate the behavior. This indicates systematic report corruption or poor finding-to-snippet mapping, which can flood users with false positives and hide real issues by reducing confidence in the tool's output.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The Slack notification example sends review output externally without warning that the report may contain sensitive code, paths, secrets, or vulnerability details. Users copying this example may unintentionally disclose proprietary or regulated information to a third-party endpoint.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API example writes submitted code to a temporary file on disk but provides no warning about persistence, local exposure, or cleanup failure scenarios. Submitted code may be sensitive, and temporary storage can create forensic remnants or broaden access to data on multi-user systems.

Vague Triggers

Low
Confidence
83% confidence
Finding
The invocation examples are broad natural-language requests such as reviewing files or directories, without strong activation boundaries, confirmation requirements, or scope limits. In an agent environment, this can cause the skill to trigger on ordinary user requests unexpectedly, potentially reading large portions of a repository or producing actions the user did not explicitly intend through the skill pathway.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This is a real vulnerability, not merely a disclosure issue. The function executes a shell command using unsanitized user input via string interpolation, which enables command injection and can lead to arbitrary command execution on the host system. In a code-review assistant context, code handling may be automated and run with elevated access to repositories or infrastructure, making exploitation especially dangerous.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This is a true issue because the function performs a fetch to a user-supplied URL without validation or disclosure, creating SSRF-style risk and allowing unexpected outbound requests. An attacker could use this to probe internal services, access metadata endpoints, or exfiltrate data through server-side network access if the function runs in a privileged environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal