ClawHub

Strands Agents SDK

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Strands agent-building skill, but its default scaffold gives agents broad file and shell access without strong limits or warnings.

Install only if you are comfortable treating generated agents as privileged local programs. Review generated code before running it, remove or constrain shell and file-write tools, use a sandboxed project directory or container, use least-privilege API and cloud credentials, and connect only trusted MCP servers or agent files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents and encourages use of sensitive capabilities including file read/write, shell execution, and MCP connectivity, but the metadata declares no permissions. This creates a mismatch between what the skill can induce an agent to do and what operators may expect, increasing the risk of unsafe execution, policy bypass, or under-informed deployment decisions.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The generated starter agent includes unrestricted file-write capability by default, allowing the model to create or overwrite arbitrary files on the user’s system. For a generic scaffold, this exceeds minimum necessary privileges and increases damage potential from model mistakes, malicious prompts, or prompt injection.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The generated starter agent includes unrestricted file-write capability by default, allowing the model to create or overwrite arbitrary files on the user’s system. For a generic scaffold, this exceeds minimum necessary privileges and increases damage potential from model mistakes, malicious prompts, or prompt injection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The built-in tools example includes `file_write` and `shell`, which can modify the local system or execute arbitrary commands, but it provides no warning about destructive actions, scope limits, or approval requirements. In an agent skill, such omissions can normalize unsafe defaults and lead users to expose powerful tools to an LLM without understanding the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The MCP examples connect to local or external servers and then expose their tools directly to the agent, but the documentation does not warn that MCP servers are code/trust boundaries that may access sensitive data or execute actions. This is dangerous because users may connect untrusted servers and inadvertently grant an agent broad capabilities or leak prompts and data to third parties.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The A2A server example starts a network-accessible service for agent interaction without discussing authentication, authorization, exposure scope, or abuse risks. Even though the sample binds to localhost, documentation that normalizes serving agent endpoints without access-control guidance can lead to unintended remote access, prompt injection via peers, or data exposure when adapted in real deployments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generated README omits any warning that the scaffolded agent can execute shell commands and write files, which can mislead users into running a highly privileged agent without understanding the risks. This omission is especially dangerous in an agent-building skill because users may treat the scaffold as a safe baseline and expose local systems to unintended actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script dynamically imports and executes an arbitrary Python file via `spec.loader.exec_module(module)` with no warning, trust check, or sandboxing. Because importing Python executes top-level code immediately, a user who points this helper at an untrusted agent file can trigger arbitrary code execution on their machine, which is especially relevant in a skill designed to run custom agent code.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal