ClawHub

VM Health Check

Security checks across malware telemetry and agentic risk

Overview

This VM health-check skill is mostly coherent, but it gives the agent SSH-based server access and includes under-protected Docker cleanup actions that can change a remote machine.

Install only if you are comfortable letting the agent SSH into the configured VM. Use a dedicated least-privilege SSH key, keep TOOLS.md private, verify the saved host before each use, and avoid the cleanup section unless you explicitly want Docker images and build cache pruned on that server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill is presented primarily as a VM health-check/reporting tool, but the documented behavior includes cleanup actions that can delete remote Docker artifacts and relies on SSH access behavior not disclosed in the description. In a remote-administration context, hidden or under-disclosed destructive capabilities materially increase the risk of unintended system changes and unsafe operator trust.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill instructs persistent storage of SSH connection details, including the private key path, in TOOLS.md without demonstrating a need for long-term retention or any protection mechanism. Persisting infrastructure access metadata expands the attack surface by making sensitive connection information easier to discover, reuse, or exfiltrate from local files.

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The documented interface includes a cleanup mode with Docker prune operations even though the skill is marketed as a reporting/checking utility. In a remote VM context, conflating inspection with mutation can cause users to invoke destructive maintenance actions when they intended only to observe system state.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script includes a destructive cleanup mode that prunes unused Docker images and all build cache, which goes beyond passive health checking and can affect operational state on the target VM. In the context of a tool marketed primarily as an instant VM health check, bundling mutation-capable cleanup increases the chance of accidental execution and unexpected service-impacting changes.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The SSH command disables host key verification with 'StrictHostKeyChecking=no', allowing connections to proceed without validating the server identity. This makes the script vulnerable to man-in-the-middle attacks, where an attacker could impersonate the VM, capture commands and output, or influence what the operator sees.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases are broad and map to common admin/helpdesk language, making accidental invocation more likely during ordinary conversations about server health or disk usage. Because this skill can initiate remote SSH-based actions and potentially cleanup operations, unintended triggering raises the chance of unauthorized or surprising system access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill persists SSH host, username, and private-key path in TOOLS.md without a clear warning that this information is sensitive and retained. Even if the key material itself is not stored, keeping connection metadata in a predictable file can expose privileged infrastructure targets and facilitate later misuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script not only disables SSH host key checking but also provides no warning to the user that server identity is not being verified. In a remote administration tool, this is especially dangerous because users may assume they are securely inspecting their VM while an attacker could intercept or spoof the connection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal