Back to skill

Security audit

Security Audit Tianjin

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local security-audit skill with an explicit auto-fix option; its risks are real but purpose-aligned and user-invoked.

Install only if you intend to audit a Clawdbot deployment under /root/clawd. Run the normal audit first and keep reports private because they may expose sensitive paths or credential locations. Use --fix only after reviewing or backing up configuration files, since it can change permissions on .env, JSON, key, and PEM files and create a .gitignore.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script implements a `--fix` mode that changes file permissions and creates `.gitignore`, which is a write-capable behavior not reflected by the skill's audit-focused description. In an agent skill context, undocumented mutation of repository state is dangerous because users may invoke a supposedly read-only security audit and unexpectedly alter files, permissions, or workflow behavior.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The header comment documents only scanning flags and omits `--fix`, even though the script supports state-changing remediation. Hidden or undocumented write behavior reduces informed consent and can lead operators or agents to run a mutating command under the assumption that it is read-only.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises an auto-fix mode that changes file permissions and configuration state, but the documentation does not clearly warn that running it will modify the system. In a security-audit context, users may assume the command is read-only, so silent remediation can cause unintended configuration drift, break workflows, or apply risky changes without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The auto-fix path changes `.env` permissions immediately with `fs.chmodSync(envFile, 0o600)` and no confirmation prompt or preview. In an automation setting this can break expected group access, alter deployment behavior, or cause unintended state changes without user awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script recursively rewrites permissions for all matched sensitive files without user confirmation or targeted review. Bulk permission changes can disrupt applications, shared access models, or operational workflows, especially when run by an agent with elevated filesystem access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Creating a new `.gitignore` file changes repository contents and future version-control behavior without confirmation. In a skill advertised as an audit tool, unprompted repository mutation is risky because it may hide files from version control or interfere with existing development practices.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/audit.cjs:166