ClawHub

Python包鸿蒙兼容性测试技能

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its stated purpose, but it needs review because it downloads and runs third-party Python code locally without strong isolation or warnings.

Install only if you will run it in a disposable, low-privilege environment with no secrets in environment variables. Do not run it with sudo/admin privileges, avoid using it on untrusted package names or requirements files, and treat generated compatibility reports as advisory rather than authoritative.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd: List[str], timeout: int = 300, cwd: str = None) -> Tuple[bool, str, str]:
    """Run a shell command and return success status, stdout, stderr."""
    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
95% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout, cwd=cwd, env={**os.environ, "PIP_NO_CACHE

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises behavior that downloads package source from GitHub/PyPI, writes reports, reads requirement files, and invokes shell/pytest, but the metadata shown declares no permissions. That mismatch is security-relevant because users and hosting systems cannot accurately assess or gate the skill's ability to access the network, filesystem, environment, and command execution before use.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The report declares the package installable, test_passed, and compatible even though the same artifact records failed pytest cases and a source download failure. This creates a misleading trust signal that can cause downstream automation or users to approve an actually unverified or partially failing package, undermining the integrity of compatibility decisions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The report declares numpy fully compatible and 'can be directly used' even though it records a source-download failure and 5 failed tests, including runtime and filesystem-related failures. This kind of contradictory reporting can mislead users into deploying an insufficiently validated package on HarmonyOS, causing reliability issues and potentially masking platform-specific breakage in downstream environments.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The checker runs pytest on downloaded test files and may fall back to executing test files directly with Python, which executes arbitrary third-party code. In this skill's context, that goes beyond static compatibility analysis and creates a direct remote-code-execution path through any package selected for analysis.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Installing arbitrary third-party packages via pip is unsafe because package installation can trigger execution of setup/build backends, dependency resolution side effects, and native build steps. In a tool that accepts package names from the user or a requirements file, this exposes the analyst's environment to attacker-controlled package code and supply-chain attacks.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Subprocesses inherit nearly the full parent environment via env={**os.environ, ...}, which can expose tokens, credentials, proxy settings, and other sensitive host context to pip, pytest, package build scripts, and executed tests. Because those subprocesses may execute untrusted package code, passing through the host environment materially increases blast radius.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly downloads third-party packages and runs their tests with pytest, which can execute arbitrary untrusted code from package setup hooks, imports, fixtures, and test bodies. Without a prominent warning, users may treat this as a passive compatibility check rather than active code execution that can modify files, access secrets, make network calls, or destabilize the local environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation recommends running pip with sudo to resolve permission issues, but does not warn that installing Python packages with elevated privileges can execute arbitrary package setup/build code as root. In this skill's context, which involves downloading and testing third-party packages for compatibility, that omission is more dangerous because users are explicitly encouraged to install potentially untrusted dependencies.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The guide suggests permanently rewriting pip configuration to use a mirror, but does not warn users about the trust, supply-chain, and persistence implications of changing their global package source. A persistent config change can silently affect future installs beyond this skill, increasing the blast radius if the mirror is untrusted, compromised, or stale.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide instructs users to download and run get-pip.py from the internet without any warning about remote code execution risk. Running a fetched bootstrap script executes arbitrary code from a network source, which is especially risky in a package-management skill that already interacts with external repositories and user environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool automatically downloads source archives from GitHub/PyPI and installs packages without a prominent warning that it will transfer data externally and modify the local system state. In a security-sensitive analysis workflow, hidden network and installation side effects can surprise users and lead to unintended exposure or unsafe execution.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script executes pytest and sometimes direct Python test files from untrusted packages without a clear warning that arbitrary third-party code will run. Given the skill's stated purpose, users may reasonably expect passive analysis, so the lack of warning materially increases the risk of accidental execution of hostile package code.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal