ClawHub

Smart Scheduler

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a scheduler/routing purpose, but it under-discloses local service data sharing and persistent input logging while making unsupported safety claims.

Install only if you are comfortable with automatic task routing, localhost service calls, and local logging of user input snippets. Avoid sending secrets or sensitive business data through it unless the publisher documents the exact services contacted, disables or redacts persistent logs, and corrects the unsupported sandbox/network safety claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
temp_file = f.name
            
            # 3. 执行(隔离环境)
            result = subprocess.run(
                ['python3.8', temp_file],
                capture_output=True,
                text=True,
Confidence
95% confidence
Finding
result = subprocess.run( ['python3.8', temp_file], capture_output=True, text=True, timeout=10, cwd=tempfile.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The fallback 'self_generate' path expands a scheduler/router into an autonomous code-generation component, which is a risky capability jump not justified by the stated purpose. In skill context, a scheduler may receive broad, user-supplied tasks, so routing unknown work into generation/execution materially increases the chance of abuse and unexpected privileged actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This block implements generation of Python code from task data and local execution through subprocess, which is an unjustified remote-code-execution primitive in a scheduler. Because task descriptions can be attacker-controlled and are interpolated into source code, the surrounding skill context makes this more dangerous: a general-purpose scheduler will often handle arbitrary user requests and can become an execution trampoline.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code advertises mandatory debate verification for complex tasks, but on exception it silently returns the unverified result as passed=true. This creates a fail-open trust boundary where downstream consumers may believe content was validated when it was not, enabling unsafe, incorrect, or policy-violating outputs to be treated as approved.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comments state complex-task outputs must reach consensus, yet the exception path marks unverified output successful and returns it to the caller. In a scheduler that claims deep reasoning and validation, this mismatch can cause users or other components to overtrust unaudited results, especially for high-stakes planning or analysis tasks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The routing rules are overly broad and can classify ordinary messages based on short length or common keywords such as 查询、删除、设置. In a skill that appears to have access to files, network, and execution backends, misrouting can unintentionally trigger higher-risk handlers, external calls, or destructive operations without sufficient user intent verification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The verifier sends task_result and context to a separate debate service without any consent, redaction, or disclosure controls. Even though the endpoint is localhost, this is still an external process boundary and may expose sensitive user or business data to another service, log sink, or model backend behind that API.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The full task object is POSTed to a local HTTP service without minimization, redaction, or any disclosure/consent boundary. In this skill's context, task payloads may include sensitive prompts, file contents, secrets, or internal metadata, so forwarding everything to another service creates a real data-exposure path even if the destination is localhost.

Ssd 3

Medium
Confidence
81% confidence
Finding
The stats collector writes arbitrary stats dictionaries directly to a persistent JSONL file with no field allowlist, redaction, or retention controls. In practice, upstream callers may include task descriptions, prompts, results, or identifiers, creating a durable natural-language data leakage channel on disk.

Ssd 3

Medium
Confidence
91% confidence
Finding
The scheduler stores slices of raw user input in both persistent stats and in-memory history without minimization, redaction, retention limits, or access controls shown here. Because this skill handles arbitrary natural-language tasks, users may include sensitive business data, credentials, personal information, or proprietary requests, creating a realistic privacy and data-leak path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal