ClawHub

Skill Sandbox

Security checks across malware telemetry and agentic risk

Overview

This is a defensive testing tool, but its sandbox claims are stronger than what its code enforces, so users could run unsafe skills believing they are contained.

Use this only as a lightweight inspection helper, not as a real sandbox. Run unknown skills inside Docker, a VM, or another disposable environment, and do not trust a SAFE report as proof that the skill had no filesystem, network, subprocess, or credential behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The sandbox advertises monitoring of filesystem, network, environment, and subprocess activity, but the actual execution path uses subprocess.run with a sanitized environment and never applies the monitored open() or monitored environment wrappers to the child process. As a result, untrusted code can perform runtime file, network, and subprocess activity without those actions being captured in the report, creating a false sense of safety for anyone relying on this tool to vet skills before installation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The CLI exposes flags such as --restricted and --monitor-network and prints guidance implying network blocking and enhanced monitoring, but those options are not enforced in execution. This misleading interface can cause operators to believe dangerous actions are being prevented when they are not, increasing the chance that malicious skills are trusted and installed after inadequate testing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal