Clawhub Skills Rank

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate skill-discovery helper; its outbound ClawHub lookups should be disclosed more clearly but are aligned with its purpose.

Reasonable to install if you want a ClawHub skill search helper. Before use, understand that search keywords or skill slugs may be sent to ClawHub; avoid secrets, private project details, or personal data in queries. Publisher should improve metadata by explicitly declaring network access and documenting the exact endpoint and data sent.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill explicitly instructs running a Python script that queries the public ClawHub search API, which is network-capable behavior, yet the metadata only declares a binary requirement and does not declare any corresponding network permission. This creates a transparency and policy-enforcement gap: users or platforms may approve the skill without understanding that it makes outbound requests, weakening trust and potentially bypassing permission-based review controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal