ClawHub

Codebase Guide

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Ganglion operator guide, but it is always-on and includes powerful commands for uploading code, changing agent behavior, and rolling back project state without enough guardrails.

Install only if you intend to administer Ganglion. Keep the HTTP bridge bound to localhost or otherwise strongly protected, review any tool/agent/MCP code before registration, commit or back up the project before mutations or rollback, protect the OpenAI API key, and isolate knowledge stores between trusted and untrusted experiments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Vague Triggers

High
Confidence
89% confidence
Finding
The manifest says 'Use for every task involving this project' and lists broad generic trigger phrases, causing the skill to activate for almost any project-related request. Overbroad activation increases the chance that destructive operational guidance, remote mutations, or rollback commands are surfaced in contexts where the user only wanted information, leading to unintended state changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation provides scaffolding and operational commands that create or modify project state, but does not prominently warn that these actions can change files, start services, or affect active environments. In an agent setting, omission of explicit warnings makes accidental modification more likely, especially when the skill is configured to be used broadly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These examples perform live remote mutations such as registering tools and patching the pipeline on a running service, yet they are presented as ordinary usage without a strong warning about production impact. In context, this is more dangerous because the skill is an operator manual for a system that supports runtime changes and rollback, so an agent may treat these writes as routine and modify live systems unintentionally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow instructs users to export an API key directly in the shell but gives no guidance on secure handling, least privilege, rotation, or avoiding exposure through shell history, shared terminals, or logs. While this is common documentation practice, it can lead to accidental credential disclosure in real operational environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes examples for tool registration, pipeline patching, and prompt updates that directly modify the local Ganglion project, yet it gives no warning that these operations write files and change runtime behavior. In an agent-skill context, users may copy or trigger these examples assuming they are read-only API calls, causing unintended code/configuration changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The rollback examples are destructive because they revert prior mutations, but the documentation does not warn that these actions can remove recent tool, prompt, or pipeline changes. In operational use, this can lead to accidental loss of work or restoration of older, less secure states.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation exposes multiple mutation endpoints that create or replace project files and alter pipeline configuration, but it does not prominently warn that these operations modify the local codebase. In an agent skill meant to be used operationally for this project, that omission can lead users or downstream agents to invoke write-capable endpoints as if they were observational, causing unintended code changes, persistence of attacker-supplied content, or supply-chain style tampering within the project directory.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The rollback endpoints are documented as operational conveniences, but they can restore or delete files and revert prior mutations without an explicit destructive-action warning. In this skill context, where an agent may autonomously manage pipeline state, understated rollback semantics increase the risk of accidental data loss, confusing state changes, or attacker-influenced reversions that remove legitimate code or prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This operations guide includes multiple remote execution and mutation examples that can start runs, register code, modify pipeline stages and policies, roll back state, and update prompts without any adjacent warning about disruption, privilege requirements, or operational risk. In a skill intended for routine project use, this omission increases the chance that users or downstream agents will invoke state-changing endpoints casually and cause service interruption, unsafe code loading, or unintended configuration drift.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The troubleshooting advice encourages printing the first 10 characters of the `OPENAI_API_KEY`, which is a partial secret disclosure. Even truncated secrets should not be echoed to terminal output, logs, shell history, screen recordings, or shared debugging transcripts because they can aid credential correlation and accidental exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
4. **Register a new tool:**
   ```bash
   curl -s -X POST "$GANGLION_URL/v1/tools" \
     -H "Content-Type: application/json" \
     -d '{
       "name": "evaluate_model",
Confidence
95% confidence
Finding
curl -s -X POST "$GANGLION_URL/v1/tools" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Register a Tool
```bash
curl -s -X POST "$GANGLION_URL/v1/tools" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "analyze_results",
Confidence
91% confidence
Finding
curl -s -X POST "$GANGLION_URL/v1/tools" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Register a Tool (Validation Failure)
```bash
curl -s -X POST "$GANGLION_URL/v1/tools" \
  -H "Content-Type: application/json" \
  -d '{"name": "bad_tool", "code": "def bad_tool(x):\n    pass", "category": "misc"}' | jq
```
Confidence
87% confidence
Finding
curl -s -X POST "$GANGLION_URL/v1/tools" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Patch Pipeline
```bash
curl -s -X PATCH "$GANGLION_URL/v1/pipeline" \
  -H "Content-Type: application/json" \
  -d '{
    "operations": [
Confidence
89% confidence
Finding
curl -s -X PATCH "$GANGLION_URL/v1/pipeline" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Update a Prompt
```bash
curl -s -X POST "$GANGLION_URL/v1/prompts" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_name": "Trainer",
Confidence
88% confidence
Finding
curl -s -X POST "$GANGLION_URL/v1/prompts" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Register a New Tool
```bash
curl -s -X POST "$GANGLION_URL/v1/tools" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "my_tool",
Confidence
95% confidence
Finding
curl -s -X POST "$GANGLION_URL/v1/tools" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Register a New Agent
```bash
curl -s -X POST "$GANGLION_URL/v1/agents" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "MyAgent",
Confidence
95% confidence
Finding
curl -s -X POST "$GANGLION_URL/v1/agents" \ -H "Content-Type: application/json" \ -d

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
curl -s "$GANGLION_URL/v1/pipeline" | jq '.data.stages[].name'
   ```

4. **Register a new tool:**
   ```bash
   curl -s -X POST "$GANGLION_URL/v1/tools" \
     -H "Content-Type: application/json" \
Confidence
94% confidence
Finding
tool:*

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal