ClawHub

Crucible Forge

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real workspace organization tool, but it can run Python configs and configured process commands with the user's privileges.

Install only if you trust the publisher and will run it in a limited, backed-up workspace. Treat any forge_config.py as executable code, review it like a script before use, avoid third-party configs, disable or hardcode process checks where possible, and keep generated reports/manifests out of shared repos because they may reveal file structure, secret locations, and process details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for cmd in commands:
        try:
            cmd_list = shlex.split(cmd) if isinstance(cmd, str) else list(cmd)
            result = subprocess.run(
                cmd_list, capture_output=True, text=True, timeout=10
            )
            for line in result.stdout.splitlines():
Confidence
95% confidence
Finding
result = subprocess.run( cmd_list, capture_output=True, text=True, timeout=10 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents file read, file write, and shell-adjacent capabilities but does not declare permissions or equivalent guardrails in the manifest. That increases the chance an agent or user invokes a high-impact workspace-manipulation skill without understanding its effective authority, especially because it can inspect processes and operate on large portions of a filesystem.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially diverges from the headline description: the skill claims safe execution of reorganization, but also executes Python config code, inspects running processes, and scans file contents for secrets. This mismatch can mislead users into treating it as a passive planner when it has code-execution and sensitive-inspection behaviors, which raises the likelihood of unsafe use and privilege overreach.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
`load_config()` executes the supplied config file as Python via `spec.loader.exec_module(config)`, which gives arbitrary code execution to whoever controls `--config`. The surrounding file-size and extension checks do not mitigate this; a malicious `.py` config can run arbitrary commands, read secrets, or alter audit results before any checks occur.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment claims path validation provides security, but the code still executes the config file as Python. This is dangerous because it creates a false sense of safety for operators and reviewers, increasing the chance that untrusted configs will be treated as harmless even though they provide full code execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The planner loads a user-supplied Python config with importlib and then executes it via exec_module, which allows arbitrary code execution as soon as the config is parsed. The preceding checks only validate existence, extension, and size, and do not reduce the fundamental risk of executing attacker-controlled Python.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comment says the path is validated before executing the config file, which can mislead reviewers into believing the operation is safe, but the code still executes arbitrary Python from that file. This is dangerous because it creates a false sense of security around a high-risk behavior in a tool intended to operate on user workspaces.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill scans running system processes in addition to workspace files, which exceeds a normal workspace reorganization/scanning scope and may expose unrelated host information. In an agent skill context, this broadens access beyond least privilege and can collect sensitive command-line data from other workloads on the machine.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code allows arbitrary configured subprocess commands to be executed for process detection, which is not justified by the stated functionality of a workspace scanner. Since configuration is executable Python and can fully control PROCESS_CHECK_COMMANDS, an attacker who can influence the config gains code execution through a feature that appears benign.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
Although the comment says protected directories are skipped, the implementation still enumerates filenames and records metadata such as relative path, size, extension, and modification time for files within those directories. This can leak information about supposedly protected content and may violate user expectations or policy boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The scanner writes a detailed report to disk containing file inventory, broken references, possible secrets hits, and running process details without warning that the output is sensitive. This creates a secondary sensitive artifact that may be easier to exfiltrate, commit, or access than the original scattered data.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
This skill loads configuration from a user-provided Python file using `importlib.exec_module`. **This executes the config file as Python code.**

- Only run config files you have written or fully reviewed
- A malicious or unreviewed config file can execute arbitrary code on your system
- Config path is validated for existence, `.py` extension, and size (1MB cap) before execution
- Do not run configs provided by untrusted sources without inspection
Confidence
99% confidence
Finding
execute arbitrary code

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal