ClawHub

GDrive Owncloud sync

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its sync-report purpose, but it asks users to deploy a persistent file-inventory web service with broad access and default credentials that require careful review.

Review before installing. Change all default credentials, restrict the helper service to localhost or a trusted network, protect the generated inventory outside shared /tmp with restrictive permissions, and confirm that emailing detailed filenames and OwnCloud endpoint information is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code implements a standalone HTTPS file-serving endpoint for /tmp/allfiles.txt protected only by basic auth, which does not match the stated Google Drive/OwnCloud sync-and-email purpose. In a skill context, unexplained network exfiltration capability is highly suspicious because it creates an alternate data access path unrelated to the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This handler exposes file contents remotely over the network, allowing anyone with the configured credentials to download a local file from /tmp. Even though it checks for symlinks and requires GET plus basic auth, the capability is unjustified by the declared purpose and could be used to exfiltrate sensitive operational data or staged outputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill processes sensitive data including OwnCloud credentials, Google Drive account information, file inventory metadata, and email reporting, but the user-facing documentation does not prominently warn about these privacy-sensitive actions. This creates a risk that users may provide secrets or enable email transmission of potentially sensitive file names and status information without understanding the exposure.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The service unit hard-codes an administrative username and password directly in plaintext environment variables. Systemd unit files are commonly readable by local users and the credentials may also be exposed through process metadata, backups, configuration management, or accidental source control inclusion, allowing attackers or insiders to recover privileged service credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes an inventory of OwnCloud filenames and timestamps to a predictable world-accessible path in /tmp, which can expose sensitive metadata to other local users or processes on the same host. The existing symlink check reduces one attack path, but it does not address disclosure risks from using a shared temporary directory with a fixed filename and default permissions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal