ClawHub

Server Mate

Security checks across malware telemetry and agentic risk

Overview

Server Mate is a coherent server-monitoring skill with disclosed optional AI, webhook, GeoIP, and guarded remediation features, but production users should review data sharing and automation settings carefully.

Install only if you are comfortable with a monitoring tool that reads web/auth logs and stores local operational metrics. Before production use, keep automation.dry_run=true, leave auto_ban and auto_heal disabled until command templates and allowlists are reviewed, protect metrics.db/reports/config.yaml, and review every enabled webhook, Telegram, OpenAI-compatible endpoint, public report URL, and GeoIP download source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"command_text": command_text,
        }
    try:
        completed = subprocess.run(
            shlex.split(command_text),
            capture_output=True,
            text=True,
Confidence
96% confidence
Finding
completed = subprocess.run( shlex.split(command_text), capture_output=True, text=True, timeout=max(int(timeout_seconds), 1), check=F

Tainted flow: 'request' from os.getenv (line 4343, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(request, timeout=settings["timeout_seconds"]) as response:
            data = json.loads(response.read().decode("utf-8"))
    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
        return None
Confidence
96% confidence
Finding
with urllib.request.urlopen(request, timeout=settings["timeout_seconds"]) as response:

Tainted flow: 'request' from os.getenv (line 4343, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(request, timeout=settings["timeout_seconds"]) as response:
            data = json.loads(response.read().decode("utf-8"))
    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
        return None
Confidence
96% confidence
Finding
with urllib.request.urlopen(request, timeout=settings["timeout_seconds"]) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes capabilities to read/write files, access environment variables, use the network, and invoke shell commands, yet it declares no permissions or equivalent trust boundary metadata. That mismatch can cause an orchestrator or reviewer to underestimate what the skill can do, which is especially risky here because the skill is explicitly designed to touch host logs, secrets, webhooks, SQLite state, and potentially privileged remediation commands.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module performs outbound AI API calls from report-generation logic, despite the file presenting itself primarily as a local reporting tool. This mismatch increases the risk of silent data egress from monitoring environments, especially where operators may not expect server telemetry and error summaries to leave the host.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The report generator both downloads a GeoIP database from the internet and invokes geoipupdate, introducing supply-chain and unintended network execution behavior into a reporting workflow. In a server-monitoring context this is more dangerous than usual because the component may run in privileged or semi-trusted operational environments where unexpected downloads and helper execution widen the attack surface.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The contract explicitly normalizes and stores request-level data such as client IP, full URI, referer, and user agent, which can constitute personal data or sensitive telemetry depending on deployment. In a monitoring/AI-ops skill, centralizing these fields without retention limits, minimization guidance, masking rules, or privacy notice requirements increases the risk of privacy violations, over-collection, and accidental exposure through logs, reports, or downstream analytics.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The contract defines action events for auto-ban, unban, restart, and remediation attempts, including TTL-based blocking, but provides no guardrails about false positives, approval flow, rollback, or service/user impact. Given this skill's purpose includes guarded auto-ban and auto-heal behavior, the omission is meaningful because consumers may implement disruptive automated enforcement from the spec alone, causing denial of service to legitimate users or unstable remediation loops.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The playbook explicitly recommends sending neighboring raw log lines, affected routes/sites/upstreams, and alert context to a model, but it provides no minimization, redaction, retention, or data-handling constraints. In an ops setting, those fields can contain IPs, usernames, tokens, session identifiers, internal hostnames, customer paths, or sensitive incident details, creating a realistic risk of privacy leakage and unintended disclosure to external AI services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This network call sends aggregated server metrics to an external AI endpoint without strong inline disclosure or consent enforcement. In the context of a Linux monitoring/reporting skill, undisclosed outbound transmission of operational summaries is a meaningful security issue because it can leak infrastructure metadata and security-relevant observations outside the monitored environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The additional AI review path separately transmits operational snapshots externally, again without strong user-facing disclosure at the point of egress. Because this code handles server health and security summaries, the transmitted data can expose sensitive patterns even when not obviously secret-bearing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The AI diagnosis feature sends operational telemetry such as host ID, site, request counts, top IPs, usernames, and error fingerprints to a remote endpoint whenever enabled. In a server-monitoring skill, this is security-sensitive metadata that can expose infrastructure details, attack activity, and user-related information to third parties without strong minimization or explicit runtime consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs operators to expose generated PDF reports via Nginx or Apache using public URLs, but it does not warn that these reports may contain sensitive operational data such as host identifiers, traffic patterns, suspicious IPs, error summaries, SSL status, and internal monitoring context. Publishing them directly can create unintended information disclosure, especially if the report host is internet-accessible and URLs are guessable.

External Transmission

Medium
Category
Data Exfiltration
Content
ai_analysis:
      enabled: true
      simulate: false
      endpoint: https://api.openai.com/v1
      model: gpt-4o-mini
      api_key_env: OPENAI_API_KEY
      timeout_seconds: 20
Confidence
90% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
- `simulate`
  - When `true`, the generator uses a built-in fallback summary instead of calling a real LLM API.
- `endpoint`
  - Base OpenAI-compatible API endpoint. Example: `https://api.openai.com/v1`.
- `model`
  - Chat model name, for example `gpt-4o-mini`.
- `api_key_env`
Confidence
86% confidence
Finding
https://api.openai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal