ClawHub

Clawbox Media Server

Security checks across malware telemetry and agentic risk

Overview

This is a transparent LAN file-sharing skill, but it intentionally exposes unauthenticated upload and download servers to reachable local-network devices.

Install only if you want LAN-visible file exchange. Use it on trusted networks, bind to localhost or a specific trusted interface when possible, firewall ports 18801 and 18802, keep sensitive files out of ~/projects/shared-media, and stop or disable the user services when sharing is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'dest_path' from os.getenv (line 101, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
dest_path = MEDIA_ROOT / filename

        try:
            with open(dest_path, 'wb') as f:
                # Read in chunks to handle large files
                while True:
                    chunk = file_item.file.read(8192)
Confidence
92% confidence
Finding
with open(dest_path, 'wb') as f:

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented primarily as a simple LAN file-sharing tool, but the documentation also instructs users to install persistent systemd services, start background daemons automatically, kill processes, and run an installer script. That broader behavior materially increases the attack surface and persistence of an unauthenticated file server, making the description incomplete and potentially misleading to users evaluating risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer modifies user state by writing systemd unit files, creating directories, killing existing processes, and launching background services without any explicit confirmation or dry-run mode. In a security-sensitive agent environment, silent side effects like process termination and persistent service installation can surprise users, disrupt existing workloads, and expand attack surface by exposing network services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The server binds to 0.0.0.0 by default and serves files from a local directory over HTTP with no authentication, access control, or explicit user-facing warning that anyone on the LAN can browse and fetch those files. In the context of an agent skill designed for file exchange, this creates a real risk of unintended data exposure to other devices on the same network, especially on shared, guest, or untrusted LANs.

Session Persistence

Medium
Category
Rogue Agent
Content
Enable auto-start (run once from your login session):
```bash
systemctl --user enable media-server.service upload-server.service
```

Start/stop/restart/check status:
Confidence
88% confidence
Finding
systemctl --user enable

Session Persistence

Medium
Category
Rogue Agent
Content
The upload page is served from the same port as the upload endpoint (18802), so cross-origin issues shouldn't occur. Ensure you're accessing `http://<host>:18802/` and not the old media-server copy.

### Systemd user bus not available
Run `systemctl --user enable ...` from your normal login shell (not a cron or SSH non-interactive session without DBUS_SESSION_BUS_ADDRESS set). The `install-all.sh` script will start servers manually in any case.

---
Confidence
84% confidence
Finding
systemctl --user enable

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal