ClawHub

VecML AutoML

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent VecML AutoML helper, but it sends selected CSV data to VecML and should only be used with data approved for that service.

Install only if you are comfortable sending the selected CSV rows, labels, and prediction inputs to VecML. Use a revocable VecML API key, leave VECML_API_URL unset unless you intentionally trust the alternate endpoint, confirm the target column and remote project/model names before running, and avoid sensitive or regulated datasets unless VecML is approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Tainted flow: 'req' from os.environ.get (line 34, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
    )
    try:
        with urllib.request.urlopen(req, timeout=120) as resp:
            return json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        body = e.read().decode()
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=120) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly relies on environment variables, reads user-provided CSVs, writes prediction outputs, and communicates with a remote VecML service, but those capabilities are not explicitly declared as permissions. That mismatch reduces transparency and can cause users or orchestrators to invoke the skill without understanding that local data and secrets will be accessed and data will be transmitted externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as a simple local AutoML helper, but the documented behavior includes creating remote projects, uploading datasets and labels to an external cloud API, polling remote jobs, and listing remote models. This behavioral gap is dangerous because users may provide sensitive datasets under the mistaken belief that processing is local or limited to model training assistance.

Vague Triggers

High
Confidence
88% confidence
Finding
The trigger terms include very generic phrases such as "train," "predict," "model," "CSV," and "accuracy," which are likely to appear in ordinary conversation unrelated to this specific external-uploading AutoML skill. Overbroad triggers increase the chance of accidental activation, which is especially risky here because activation can lead to reading local files and sending dataset contents to a third-party service.

Missing User Warnings

High
Confidence
97% confidence
Finding
The usage guidance tells the agent to run training on a user's file but does not clearly warn that the dataset will be base64-encoded and uploaded to an external VecML service. In context, this omission is more dangerous because the skill is designed to operate on arbitrary user CSVs, which may contain personal, proprietary, or regulated information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The training path uploads the user's CSV-derived feature and label data to a remote VecML service without an explicit, unavoidable disclosure at the point of use. Because ML datasets commonly contain sensitive personal, business, or regulated data, silent transmission to a third party creates a real privacy and compliance risk in this skill context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prediction command reads a local CSV and sends it to the remote API without clearly warning that the file leaves the local system. Even inference inputs can contain sensitive production records, so the lack of disclosure can lead to unintended third-party data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal