ClawHub

Pilot Quarantine

Security checks across malware telemetry and agentic risk

Overview

This incident-response skill is not malicious, but it can disconnect live agents despite saying immediate disconnects are out of scope.

Install only if operators understand this is active containment, not just passive quarantine. Require manual review before running the disconnect examples, and prefer a version that clearly separates temporary trust suspension from immediate session termination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims quarantine should not be used for immediate disconnects, yet the quarantine example both untrusts the agent and forcibly disconnects active sessions. This mismatch can mislead operators and cause more disruptive actions than intended, especially if an agent is only under investigation rather than confirmed malicious.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The enforcement loop repeatedly disconnects quarantined agents even though the manifest says immediate disconnect is out of scope for this skill. That creates a behavioral contradiction and can turn a temporary isolation mechanism into an ongoing active denial of connectivity without clear operator consent.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level guidance says not to use this skill for immediate disconnect, but the embedded examples later perform disconnect operations anyway. Such contradictory instructions are dangerous in operational security tooling because they undermine operator expectations and increase the chance of unintended service disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example issues untrust and disconnect commands that directly change live network state, but it does so without an explicit warning, dry-run, or confirmation step. In a security response context, these actions can interrupt legitimate agents, sever active sessions, and complicate incident investigation if triggered too quickly or by mistake.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal