ClawHub

Benchmark Model Provider

Security checks across malware telemetry and agentic risk

Overview

This is a coherent model-benchmarking skill that discloses its network calls, credential use, and local report generation, with dependency hygiene issues users should manage.

Install this only in an isolated environment with pinned, current PyYAML and reportlab versions. Use a scoped API key, verify the base_url before running, and avoid sensitive benchmark prompts unless you are comfortable sending them to the selected provider and storing them in local report artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of sensitive capabilities—environment access, file reads/writes, shell, and network I/O via benchmark scripts and configurable endpoints—without declaring explicit permissions. That creates a trust-boundary mismatch: operators may authorize or review it as low-privilege content while it can still drive code paths that access API keys, send prompts to arbitrary endpoints, and write publishable artifacts.

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyYAML
reportlab
Confidence
98% confidence
Finding
PyYAML

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyYAML
reportlab
Confidence
98% confidence
Finding
reportlab

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
PyYAML

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
reportlab

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal