ClawHub

Bot Status API

Security checks across malware telemetry and agentic risk

Overview

This looks like a real monitoring API, but it needs review because it exposes detailed bot and host status while running shell checks and weakening TLS by default.

Install only if you intend to run a trusted private monitoring service. Keep it bound to localhost or behind authentication, do not expose /status publicly, use administrator-controlled config only, avoid scanning untrusted skill directories, remove or narrow the global TLS bypass, and review every command check before enabling the persistent systemd service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code builds a shell command using config.devServers.processGrep and passes it directly to exec(), which invokes a shell. Because the value is inserted inside a single-quoted grep expression, an attacker controlling configuration can break out of the quoting and inject arbitrary shell commands, leading to command execution under the agent's privileges. In this monitoring skill context, config-driven checks are expected, which makes the unsafe pattern more dangerous because operators may expose configuration to less-trusted inputs or automation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The collector executes arbitrary shell commands from configuration via child_process.exec, which invokes a shell and permits far broader behavior than simple email-status checks. In the context of an agent monitoring skill, this creates a command-execution primitive that can run any local command with inherited process environment, making misuse or compromise of configuration highly dangerous.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code parses `bins` from `SKILL.md` and interpolates each value directly into a shell command: ``which ${b}`` via `child_process.exec`. Because `SKILL.md` is attacker-controlled skill content and `exec` invokes a shell, a crafted bin name containing shell metacharacters can trigger arbitrary command execution during status collection. The monitoring/status context makes this more dangerous because operators may run it automatically against untrusted custom workspace skills.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The code globally sets NODE_TLS_REJECT_UNAUTHORIZED to 0, disabling certificate validation for all HTTPS/TLS requests made by this process. That makes monitoring results forgeable via man-in-the-middle attacks and can expose any credentials, tokens, or internal status data used by collectors, which is especially risky for a status service that probes multiple backends.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly documents a feature that executes configured shell commands on the host for health checks. In the context of a status API skill, this materially increases risk because unsafe or user-influenced configuration could lead to arbitrary command execution on the machine running the bot, and the README provides no warning about that trust boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented status API exposes extensive telemetry including runtime health, service connectivity, cron jobs, skills, dev servers, and system metrics, yet the documentation does not warn that this endpoint can disclose sensitive operational details if reachable by other users or the network. In practice, such data materially helps attackers enumerate services, understand defenses, and target bot infrastructure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill supports command-based health checks that run shell commands from configuration, but the documentation does not warn that these commands execute with the privileges of the service account. If configuration is modified by an attacker or copied from untrusted sources, this becomes arbitrary command execution with persistence via the monitoring service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`checkCommand` executes `svc.command` through `exec`, which invokes a shell and allows arbitrary shell metacharacters, command chaining, redirection, and expansion if the configuration is attacker-controlled or insufficiently trusted. In a monitoring/status skill that explicitly supports arbitrary CLI checks, this becomes especially dangerous because the feature normalizes remote-triggered command execution and could lead to full host compromise or sensitive data exfiltration.

Missing User Warnings

High
Confidence
98% confidence
Finding
Disabling TLS validation without any warning means operators may believe HTTPS-backed checks are authenticated when they are not. In this monitoring context, the status API may contact internal services like Portainer, UniFi, email systems, or other configured endpoints, so silent trust bypass increases the chance of undetected interception or spoofed health data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal