ClawHub
Back to skill

Security audit

process-data-monitor-claw

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed business monitoring and Feishu alerting helper, with expected operational risk that should be controlled through careful configuration.

Install only if you intend to run continuous business monitoring. Use dedicated read-only accounts, keep Feishu webhook and bot tokens in environment variables, avoid putting secrets in alert text, confirm alert recipients and destinations, and do not grant unrelated crypto or purchasing authority.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill references executable shell scripts (`scripts/monitor-daemon.sh` and `scripts/alert-sender.sh`) but does not declare corresponding permissions or capabilities. This creates a transparency and governance gap: an agent may invoke shell-based behavior without explicit permission review, increasing the risk of unintended command execution or access to local/runtime resources.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Using very broad trigger terms like “监控” and “告警” can cause unintended invocation in unrelated conversations. In this skill's context, accidental activation is more concerning because the skill is associated with shell scripts and alert-sending behavior, which could lead to unnecessary data handling, outbound notifications, or execution of operational workflows without clear user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal