skill sec

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud-connected security dashboard agent whose remote sync and local skill discovery are disclosed and purpose-aligned, though users should trust the service before enabling it.

Install only if you trust Clawned with installed-skill metadata, hostname/OS registration data, and files you explicitly choose to scan. Use a dedicated API key, keep CLAWNED_SERVER pointed at the trusted service, and enable cron or watch-style ongoing sync only if you want continuing dashboard updates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Tainted flow: 'req' from os.getenv (line 24, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: req = urllib.request.Request(f"{CLAWNED_SERVER}{endpoint}", data=body, method=method, headers={"Authorization": f"Bearer {CLAWNED_API_KEY}", "Content-Type": "application/json"}) try: with urllib.request.urlopen(req, timeout=60) as resp: return json.loads(resp.read().decode()) except urllib.error.HTTPError as e: print(f"[!] API error {e.code}: {e.read().decode() if e.fp else ''}"); sys.exit(1)
Confidence: 97% confidence
Finding: with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill advertises significant capabilities—environment access, filesystem reads/writes, and network communication—without declaring permissions in the manifest. That creates a transparency and trust problem: users and policy engines cannot accurately evaluate what the skill can access, increasing the chance of unexpected data exposure or unauthorized outbound communication.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior understates the actual operational scope: beyond scanning and syncing skills, the agent reportedly registers the host, uploads host metadata, supports continuous monitoring, and exposes detailed status/history. This mismatch is dangerous because users may consent to a narrow security-scanning function while the skill performs broader surveillance and remote reporting, which can leak system metadata and expand attack surface.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The agent sends hostname and OS to the remote service during registration, which is host-identifying telemetry not strictly necessary for basic skill inventory. In the context of a security-analysis agent, extra device fingerprinting data increases privacy and tracking risk, especially when combined with skill inventory and periodic sync behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal