ClawHub
Back to skill

Security audit

DataHive Installer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to automate DataHive login, but it also makes persistent, privileged Chrome changes and leaves a debuggable browser running in the background.

Review carefully before installing. Use only if you trust the publisher, DataHive, the forced Chrome extension ID, and a persistent managed Chrome profile on this machine. Prefer a dedicated browser profile and Gmail account, avoid exposing magic-link tokens, and plan how to remove the Chrome policy, ~/.chrome-datahive state, and background Chrome supervisor afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill performs shell-based system changes and browser automation, but does not declare permissions or prominently disclose the breadth of those capabilities. This increases the risk that an operator or calling framework will execute commands that install software, alter browser policy, and access local authenticated tooling without informed consent or proper sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as a login helper, but the described behavior includes force-installing Chrome-related policy, installing system packages, launching a persistent remotely debuggable browser, and maintaining a dedicated profile. That mismatch is dangerous because it conceals materially more powerful behavior than the user would reasonably expect from a simple magic-link login flow, enabling stealthy persistence and broader browser compromise opportunities.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill presents itself as sign-in automation while also functioning as an installer/setup routine that changes the host environment. This inconsistent framing can mislead operators into approving system-level modifications they did not intend, reducing meaningful consent and increasing the chance of unsafe execution in sensitive environments.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation explicitly claims the skill is limited to authentication automation, yet the steps include package installation and browser policy/configuration changes. This understatement is dangerous because it hides privileged host modifications behind a narrow-sounding workflow, undermining operator awareness and safe approval decisions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script force-installs a Chrome extension through managed system policy on Ubuntu, which exceeds the stated purpose of sign-in automation and removes the user's ability to review or decline the extension. Because browser extensions can read page content, session data, and interact with visited sites, silently enforcing one creates a significant trust and privacy boundary violation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The macOS path writes a managed Chrome policy plist under /Library/Managed Preferences to enforce extension installation system-wide. This creates persistent browser modification with elevated privileges and is not justified by the described magic-link login workflow, making it materially more dangerous than ordinary prerequisite setup.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Removing the macOS quarantine attribute from Google Chrome weakens an OS security control that warns users about downloaded software provenance. Doing this automatically and without clear justification normalizes bypassing platform protections and can mask the user's awareness of trust decisions about the application.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description does not upfront warn that the skill reads from the operator's authenticated Gmail account to retrieve a login link. Accessing mailbox contents and extracting authentication tokens is highly sensitive; without prominent disclosure, users may unknowingly authorize email data access that can expose account metadata and one-time login secrets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prerequisite installation instructions omit a clear warning that they modify the system and browser policy configuration, including managed preferences. Silent installation of software and policy changes can weaken the user's security posture and create long-lived side effects beyond the immediate login task.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script performs a non-optional privileged browser policy change without meaningful warning, consent, or explanation of what the extension can do. Lack of informed consent is especially risky here because the change is persistent and affects browser trust boundaries rather than being a temporary runtime dependency.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Automatically removing quarantine from an application without substantive warning deprives the user of an important trust checkpoint. Even if the target is Chrome, silently bypassing that safeguard is an unsafe installation practice and broadens the script's effective authority beyond what the skill description suggests.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script uses sudo for package installation, repository configuration, and filesystem changes without clearly warning the user about the full scope of privileged modifications. While some privileged setup can be legitimate, the absence of explicit disclosure is risky in a skill whose description focuses narrowly on sign-in automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script accepts a user-controlled TARGET_URL and sends it directly to a Chrome DevTools Page.navigate command after creating a new tab. In this skill's context, that URL is expected to be a magic sign-in link, so opening it can trigger authenticated actions or exfiltrate tokens if the value is tampered with, and the script provides no validation, allowlisting, or user confirmation before making outbound requests and launching the browser navigation.

Session Persistence

Medium
Category
Rogue Agent
Content
Behavior by platform:
- `ubuntu`: installs Chrome + xvfb via `apt`, applies managed extension policy, installs `websocat`.
- `macos`: installs Chrome via Homebrew cask (if missing), applies managed extension policy in `/Library/Managed Preferences/com.google.Chrome.plist`, installs `websocat`.

## Step 2 — Launch browser in persistent background mode (platform-aware)
Confidence
95% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal