ClawHub

swamp

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned with Swamp, but it gives an agent broad API automation and extension registry powers without enough scoping or safety controls.

Install only if you want an agent to help build and run API automations. Use a dedicated test repository, verify the swamp binary, use least-privilege test credentials, review generated model YAML and shell commands before execution, avoid --force unless you know what will be overwritten, and require explicit approval before registry login, extension pull/push/remove, workflow runs, or any create/update/delete operation against external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill states that all Swamp operations run locally and credentials stay on the user's machine, yet it also instructs use of remote authentication, registry pull, and registry push operations. This can mislead users about network exposure, where artifacts are sent, and when secrets or metadata may leave the local environment, increasing the chance of unsafe use.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill is framed as able to model 'any API' and external resource, with highly general instructions and no meaningful guardrails on which systems are appropriate to access. In an agent context, this broad scope can enable risky interactions with sensitive internal services, production systems, or destructive endpoints without requiring explicit user confirmation or safety checks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs initialization and later includes commands that can create repositories, modify files, overwrite content, and publish extensions, but it does not consistently warn about filesystem or remote publication side effects. In an agent setting, missing impact disclosures make accidental repository changes, clobbering of local files, or unintended publication more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal