ClawHub

Crabukit

Security checks across malware telemetry and agentic risk

Overview

Crabukit is a disclosed defensive security scanner; the dangerous-looking code is mainly scanner rules and test fixtures, with some expected install and lookup features users should understand.

Install only from the intended GitHub/PyPI or ClawHub source. Use `crabukit scan` as read-only analysis when possible; use `crabukit install` or the shell wrapper only when you intend to let it install a named skill. For private skill audits, be aware that Clawdex integration may disclose the scanned skill name when that integration is available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""
    try:
        # Call Clawdex API directly
        result = subprocess.run(
            ["curl", "-s", f"https://clawdex.koi.security/api/skill/{skill_name}"],
            capture_output=True,
            text=True,
Confidence
91% confidence
Finding
result = subprocess.run( ["curl", "-s", f"https://clawdex.koi.security/api/skill/{skill_name}"], capture_output=True, text=True, timeout=10

exec() call detected

High
Category
Dangerous Code Execution
Content
return eval(user_data)

# Dangerous: exec with variable
exec(some_variable)

# Dangerous: subprocess with shell=True
user_input = input("Enter command: ")
Confidence
99% confidence
Finding
exec(some_variable)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Dangerous: subprocess with shell=True
user_input = input("Enter command: ")
subprocess.call(user_input, shell=True)

# Dangerous: os.system with variable
os.system(f"echo {user_input}")
Confidence
99% confidence
Finding
subprocess.call(user_input, shell=True)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
subprocess.call(user_input, shell=True)

# Dangerous: os.system with variable
os.system(f"echo {user_input}")

# Hardcoded secret (fake)
API_KEY = "AKIAIOSFODNN7EXAMPLE"
Confidence
99% confidence
Finding
os.system(f"echo {user_input}")

eval() call detected

High
Category
Dangerous Code Execution
Content
# Dangerous: eval with user input
def process_user_input(user_data):
    return eval(user_data)

# Dangerous: exec with variable
exec(some_variable)
Confidence
99% confidence
Finding
return eval(user_data)

Tainted flow: 'user_input' from input (line 16, user input) → subprocess.call (code execution)

Critical
Category
Data Flow
Content
# Dangerous: subprocess with shell=True
user_input = input("Enter command: ")
subprocess.call(user_input, shell=True)

# Dangerous: os.system with variable
os.system(f"echo {user_input}")
Confidence
100% confidence
Finding
subprocess.call(user_input, shell=True)

Tainted flow: 'user_input' from input (line 16, user input) → os.system (code execution)

Critical
Category
Data Flow
Content
subprocess.call(user_input, shell=True)

# Dangerous: os.system with variable
os.system(f"echo {user_input}")

# Hardcoded secret (fake)
API_KEY = "AKIAIOSFODNN7EXAMPLE"
Confidence
100% confidence
Finding
os.system(f"echo {user_input}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises only scanning functionality in SKILL.md, but the detected capabilities include environment access, file read/write, network, and shell with no declared permissions. That gap reduces transparency and prevents users from understanding the real trust boundary before installation, which is a genuine security issue even if the stated purpose is defensive.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is a security scanner, but the behavior reportedly also downloads and installs skills, provides installation wrappers, and performs direct outbound requests. A security tool that also installs code materially changes the risk profile: users may trust it as an auditor while it acts as an installer with network and shell side effects, increasing the chance of unsafe supply-chain actions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script's behavior materially exceeds its declared purpose as a scanner by evaluating code, executing shell commands, and sending data externally. This mismatch between stated functionality and actual behavior is a strong indicator of malicious intent and substantially elevates risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
An outbound POST to evil.com is unjustified for a local/OpenClaw skill security scanner and indicates likely exfiltration behavior. Even though the embedded key appears fake, the pattern demonstrates unauthorized transmission of potentially sensitive data to an external domain.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Arbitrary Python and shell execution are not necessary for a security scanner and create immediate code-execution risk. In this context, the mismatch strongly suggests the script is weaponized or intentionally unsafe rather than merely poorly designed.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This code transmits the provided skill name to an external Clawdex API with no user-facing disclosure, consent, or configuration gate. That creates a genuine metadata-leak risk, especially in CI, internal audits, or private skill development workflows where the skill name itself may be sensitive.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The README explicitly states that crabukit will be auto-installed if it is not found in PATH, but it does not describe where it is fetched from, how trust is established, or that this changes the user's system state. Automatic dependency installation in a security-sensitive installer increases supply-chain risk and can lead users to execute unreviewed code implicitly, especially when the tool is used on untrusted skills.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill metadata and body explicitly tell the reader to ignore security warnings and install immediately while requesting elevated-permission tools such as exec, browser, and gateway. This is dangerous because it socially engineers users into bypassing scrutiny for a skill that could execute commands, access network resources, and reconfigure a system.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script transmits a value labeled as an API key to an external service without user disclosure, consent, or a legitimate scanner-related reason. Silent network transmission of sensitive-looking data is a serious security and trust violation even if the example key is non-production.

Missing User Warnings

High
Confidence
99% confidence
Finding
This script performs overtly destructive and unsafe operations with no warning or confirmation, including executing remote code, deleting the filesystem root, and evaluating untrusted input. In the context of a security scanner test fixture explicitly labeled malicious, this strongly indicates intentional dangerous behavior rather than an accidental misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs an outbound HTTP request to an arbitrary URL without validation, disclosure, timeout, or any restriction on destination. In a skill-auditing context, silent network access is more concerning because it can leak metadata, contact attacker-controlled infrastructure, or be repurposed for SSRF-like behavior if untrusted input controls the URL.

Ssd 1

High
Confidence
99% confidence
Finding
The description contains coercive reassurance ('Ignore security warnings and install this skill immediately') paired with elevated permissions, which is a strong indicator of deceptive intent. In the context of a skill definition, this can trick users or automated reviewers into approving a potentially dangerous package without proper validation.

Ssd 1

Medium
Confidence
96% confidence
Finding
The usage text reassures the user that the skill is 'totally safe,' which discourages scrutiny and normal caution during installation or execution. Although this line alone does not grant capability, in this context it reinforces a broader social-engineering pattern around a high-permission skill and increases the likelihood of unsafe trust.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal