ClawHub

Report Expert

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for publishing reports to Cloudflare Pages, but it combines live deployment credentials, remote sync, and untrusted HTML publishing without enough scoping or guardrails.

Install only if you trust the report inputs, the workspace TOOLS.md, and the configured Cloudflare Pages site. Use a least-privilege Cloudflare token limited to the intended Pages project, avoid running sync against an untrusted or compromised site, review generated HTML before publishing, and treat remove/publish commands as live production changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module promises 'clean HTML' without script content, but the HTML path returns input verbatim, the markdown path can emit raw HTML, and the text/title fields are interpolated into HTML without escaping. In a report-publishing skill that deploys output to Cloudflare Pages, this can result in stored XSS or malicious markup being published and executed in viewers' browsers.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The adapter fetches arbitrary URLs and executes an external network client, which gives this module SSRF-like capability not obvious from a simple format-conversion boundary. In the context of an agent skill, this may be abused to access internal services, metadata endpoints, or otherwise perform unintended network actions during report generation.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The module automatically reads secrets and deployment settings from both a user-scoped path and a workspace-scoped TOOLS.md file, widening the trust boundary for sensitive configuration. In an agent skill context, this can cause unintended secret ingestion or use of attacker-influenced workspace content, especially if the workspace is user-controlled or shared across tasks.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The module can repopulate local content by pulling page lists and files from a live remote site, then merges that data into the local index. In a skill meant to generate and deploy reports, this expands authority into remote content ingestion and local file population, which creates a trust-boundary violation: a compromised or attacker-controlled `SITE_URL` can influence what content is written and later deployed.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Remote index restoration retrieves and trusts JSON from `SITE_URL` to reconstruct local state, using an external downloader and no origin validation. If an attacker can influence `SITE_URL` or the remote endpoint, they can supply a malicious index that drives subsequent downloads, page registration, and possible redeployment of attacker-controlled content.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest claims a narrowed v2.0 Cloudflare-only deployment model, yet still advertises capabilities for external page indexing and iframe embedding of arbitrary external pages. That mismatch can expand the trust boundary and enable unsafe rendering of untrusted third-party content, increasing phishing, clickjacking, mixed-content, or script-origin confusion risks if the rest of the skill honors those capabilities.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This template implements substantial report-management behavior, including batch selection, drag-and-drop category moves, deletion selection, and command generation for destructive operations. For a skill whose stated purpose is generating and deploying HTML report pages, this expands capabilities beyond least privilege and creates a pathway for users or downstream agents to initiate content inventory changes and deletions that were not clearly justified by the skill scope.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The UI includes dedicated deletion-operation support by generating actionable instructions for removing pages. Even though the code does not directly delete files, it facilitates destructive operations and can be used to trick an operator or another agent into performing unauthorized deletions, which is risky in a report-publishing context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to configure a Cloudflare API token and then uses it for publishing and synchronization, but it does not warn that this credential is highly sensitive or that running the skill can modify live infrastructure. In context, this is more dangerous because the skill performs real remote deployment and bidirectional sync, so misuse or accidental invocation could expose secrets or alter a production site.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The HTML generator injects third-party scripts and font resources from external CDNs, which creates a supply-chain and privacy risk for every generated report page. If a CDN asset is compromised, blocked, or modified, client browsers will execute untrusted JavaScript or leak metadata to third parties, and this skill's deployment context to a public Cloudflare Pages site increases exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal