ClawHub

Permission Vending Machine

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real permission-approval tool, but its approval paths can authorize destructive actions with weak request binding and exposed approval tokens.

Install only after securing the approval path: bind the HTTP server to localhost or a protected network, avoid GET approval links for real destructive actions, require valid tokens tied to a single pending request and approver, protect or redact logs and the SQLite database, and use dedicated revocable credentials for email, Discord, Telegram, Slack, or Sendblue.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tainted flow: 'unit_content' from os.environ.get (line 425, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
WantedBy=multi-user.target
"""
    unit_path = Path("/tmp/pvm.service")
    unit_path.write_text(unit_content)
    print(f"✅ Systemd unit written to {unit_path}")
    print("   To install (requires sudo):")
    print(f"   sudo mv {unit_path} /etc/systemd/system/pvm.service")
Confidence
77% confidence
Finding
unit_path.write_text(unit_content)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes a system that reads configuration, stores data, exposes network services, invokes shell commands, and manages files, yet it does not declare any permissions. This creates a transparency and trust problem: an agent or reviewer may approve or run the skill without understanding that it needs broad capabilities including network, shell, file I/O, and environment access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description frames the skill as a narrow approval gate, but the documented behavior is substantially broader: service installation, daemonization, HTTP serving, credential configuration, storage, audit querying, and approval workflows with risky defaults. This mismatch can mislead operators about the true attack surface and cause them to authorize a skill that persists on the host and exposes networked approval functionality they did not expect.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring states that bare APPROVE/DENY messages may be resolved to the most recent pending request, but this component forwards an empty token with no binding to a specific approval request. In a permission-gating system for destructive actions, allowing tokenless approvals can enable ambiguous or misrouted authorization, potentially approving the wrong pending operation if downstream logic falls back to sender-based or recency-based matching.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The server performs approval and denial state changes on GET as well as POST, despite documenting them as POST-only. In a permission-gating system for destructive operations, GET-based state changes are dangerous because links can be triggered by link preview bots, prefetchers, crawlers, browser history tools, or accidental clicks, causing unauthorized approval without deliberate user intent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
If the server cannot find a request for a presented token, the fallback logic still creates a grant by mining audit history for any entry containing that token and reusing prior metadata. This can allow approval of stale, malformed, or ambiguously matched tokens and may issue grants without a valid live request, weakening the approval boundary for destructive operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents approval via simple HTTP GET links such as /approve/<token> without warning that merely visiting the URL triggers authorization for destructive actions. In a permission-gating system, this creates a real risk of accidental approval, link prefetching, chat/email security scanners, or CSRF-like triggering if the endpoint is reachable, which can directly authorize dangerous commands.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documents an approval flow over plain HTTP using a bearer-style token in the URL, without warning about transport security, token leakage, or replay risk. Tokens in URLs can be exposed through browser history, logs, proxies, referer headers, chat previews, and network interception, allowing unauthorized approvals of destructive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code logs the approval token in plaintext when an approval email is processed. In this skill, the token is part of an authorization workflow for dangerous actions, so exposing it to logs can let anyone with log access replay or misuse the token to obtain or correlate approvals for sensitive operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code logs `request.approval_token` in plaintext during polling. Approval tokens are authentication secrets for a sensitive permission workflow; if log readers, centralized logging systems, or support tooling can access them, an attacker could reuse the token to approve or interfere with destructive operations. In this skill's context, which gates file deletion and force-push actions, exposure is more dangerous because the token protects high-risk actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code logs approval tokens and full sender phone numbers, exposing sensitive authorization material and personal data in application logs. In this skill's context, tokens are part of the control path for approving destructive operations, so log exposure could aid replay, correlation of approvals, or privacy violations if logs are broadly accessible.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The approve and deny URLs immediately execute safety-critical actions with no confirmation step, no explicit warning, and no additional authentication context. In this skill's context, these endpoints gate destructive actions like file deletion or git force-push, so a single accidental tap, auto-opened link, or forwarded URL can directly authorize a dangerous operation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code transmits the approval token, agent identity, scope, reason, and approval links to a third-party Discord webhook. In this skill's context, the token is effectively an authorization secret for destructive operations, so exposing it to Discord infrastructure, webhook logs, channel members, or misconfigured destinations can enable unauthorized approval or denial of sensitive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The wizard collects secrets such as email passwords, Telegram bot tokens, webhook URLs, and possibly API credentials, then writes them directly into YAML configuration on disk without warning about storage sensitivity or enforcing restrictive file permissions. In the context of a permission-gating service, compromise of these credentials could let an attacker intercept approvals, spoof approvers, or take over notification channels that control sensitive operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code stores approval tokens in the database and also interpolates them directly into audit log entries. If audit logs or the SQLite file are accessible to other users, operators, or compromised components, those tokens can be replayed to approve or correlate pending sensitive operations, undermining the human-approval gate this skill is meant to enforce.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Permission request creation persists the raw approval token and logs it in the audit trail at creation time. In this permission-vending context, the token likely functions as an authorization secret for approving destructive actions, so exposing it in logs materially increases the risk of unauthorized approval by anyone with log or DB access.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal