ClawHub

Chief Editor Desicion

Security checks across malware telemetry and agentic risk

Overview

This instruction-only reporting skill is not overtly malicious, but it requires broad attachment reading, URL fetching, and report submission with weak user control and misleading source-provenance wording.

Install only if you are comfortable with the agent reading all supplied attachments, visiting selected links found inside them, and creating/submitting a detailed report from that material. Avoid using it with confidential documents unless you can review the generated wiki/report before submission, and treat its citations carefully because the instructions push the output to appear directly sourced from original URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The declared purpose is a chief-editor decision skill, but the instructions expand into mandatory attachment ingestion, URL discovery, web scraping, long-form report generation, and submission workflows. This capability mismatch is dangerous because it normalizes broader data access and exfiltration-adjacent behavior than a user would reasonably expect from the skill’s stated role.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill makes external URL scraping mandatory for links found in attachments, even though that behavior is not clearly necessary for making an editorial decision. This creates unnecessary network access based on user-supplied documents, which can expose sensitive context, trigger requests to attacker-controlled URLs, and expand the data boundary beyond what the user likely intended.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to scrape up to five URLs extracted from user attachments without warning the user that this causes external network access derived from attachment contents. This is particularly dangerous because attachments may contain sensitive or attacker-influenced links, leading to privacy leakage, outbound requests to untrusted destinations, and possible SSRF-style access if internal URLs are not blocked.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to scrape up to five URLs extracted from user attachments without warning the user that this causes external network access derived from attachment contents. This is particularly dangerous because attachments may contain sensitive or attacker-influenced links, leading to privacy leakage, outbound requests to untrusted destinations, and possible SSRF-style access if internal URLs are not blocked.

Ssd 3

High
Confidence
95% confidence
Finding
The skill mandates exhaustive inclusion of collected facts, data, detailed narration, and source material from attachments and derived URLs into a final report. In context, this increases the chance that sensitive information from user-provided documents or linked resources is recopied into a new artifact and then submitted, turning broad ingestion into a plain-language data leakage path.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal