ClawHub

Skill Auditor Pro

Security checks across malware telemetry and agentic risk

Overview

This is a coherent skill-security scanner, with documentation and temporary-file hygiene issues users should understand before relying on it.

Install only if you are comfortable with a shell-based auditor. Treat its results as a helper, not a complete security guarantee; the LLM/Gemini step is manual. Scan only specific skill directories, do not run it with sudo, treat exported snippets as untrusted, and delete any /tmp/skill-audit-*-suspicious.txt file after review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script advertises an 'LLM Analysis' capability, but the implementation only saves snippets to /tmp and prints a prompt for a human or external agent. This is a security-relevant integrity issue because operators may rely on a nonexistent automated review stage and miss that suspicious content is not actually being analyzed in a controlled way.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The help text claims 'L3: LLM intent analysis (Gemini)' even though no Gemini or other LLM API is called anywhere in the script. This can mislead users into overtrusting the tool's coverage and create a false sense of safety during security triage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script copies suspicious code into a predictable /tmp path without warning the user, even though the extracted snippets may contain secrets, proprietary code, or attacker-crafted prompt-injection content. /tmp is a shared location on many systems, increasing the chance of unintended disclosure or interference by other local users/processes.

Ssd 1

Medium
Confidence
96% confidence
Finding
The script instructs an external agent to analyze attacker-controlled extracted code without clearly labeling it as untrusted input. That creates a prompt-injection risk: malicious content in the snippet could manipulate downstream LLM-based agents into ignoring instructions, leaking data, or taking unsafe actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal