ClawHub

Skill Install Manager 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill claims to safely vet and install other skills, but its included safety checks are mocked and can give users false confidence.

Treat this as an incomplete or mock installer, not as a security control. Do not rely on its SAFE TO INSTALL output; independently vet the exact skill source, review all files and install steps, avoid arbitrary external sources unless intended, and do not log secrets, private repository names, or sensitive queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill presents itself as a mandatory safe installation manager, but the documented behavior only describes a process and examples rather than enforcing actual vetting, configuration-change detection, or reporting. This creates a false sense of security: users or downstream agents may rely on guarantees that are not implemented and install unvetted skills from broad external sources.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The example workflow claims Skill Vetter approval is mandatory, but then proceeds to installation without demonstrating an enforced approval check or machine-verifiable gate. In practice, operators may copy the example and perform direct installation, bypassing the very safety control the skill claims to require.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill says installs requiring configuration changes must be refused, but the documented install behavior shows a generic install path with no demonstrated preflight check, policy evaluation, or refusal mechanism. That gap can lead users to run installations that modify system state despite the stated prohibition.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script presents a fabricated 'Skill Vetter' report with fixed values and a SAFE verdict regardless of the selected skill, so users may trust and install unvetted content. In the context of a security-focused installer that claims mandatory vetting, this creates a dangerous false sense of assurance and can directly enable installation of malicious skills.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code claims it will detect and reject skills that require configuration changes, but it only simulates the check and always reports success. This means a skill that alters sensitive settings, startup behavior, credentials, or security controls could be installed under a false claim of compliance.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The comments and stated behavior promise mandatory safety enforcement, but the implementation only mocks both the vetting and configuration checks. This mismatch is security-relevant because operators may rely on documented guarantees when deciding whether to install third-party skills, increasing the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples perform network transmission and installation actions without prominently warning that user queries, metadata, or environment-linked credentials may be sent externally and that system state may change. In an agent skill context, copyable examples often become operational behavior, so missing warnings can lead to unintended data disclosure or unauthorized modifications.

Ssd 3

Medium
Confidence
89% confidence
Finding
The instruction to log all search and installation operations is overbroad and could capture user-provided queries, repository identifiers, API-related context, or other sensitive operational data in plaintext. In a skill that interfaces with external services and installation tooling, indiscriminate logging materially increases confidentiality and retention risk.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 搜索"天气"相关技能
# 1. 先通过Composio搜索
curl -X POST "$COMPOSIO_BASE/tools/execute/COMPOSIO_SEARCH_TOOLS" \
  -H "x-api-key: $COMPOSIO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
86% confidence
Finding
curl -X POST "$COMPOSIO_BASE/tools/execute/COMPOSIO_SEARCH_TOOLS" \ -H "x-api-key: $COMPOSIO_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal