ClawHub

Network Topology Discovery

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate network discovery guide, but it needs review because its read-only label conflicts with instructions that can change live network device configuration.

Install only if you are authorized to inspect the target network. Use least-privilege read-only device accounts, define a strict discovery boundary, protect topology outputs as sensitive data, and do not run any enablement, VLAN, trunk, routing-policy, clearing, or port-security instructions unless they go through normal change approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill is labeled read-only, but this section instructs operators to enable LLDP/CDP on devices or interfaces (`set protocols lldp interface all`, and decision-tree steps to enable protocols). That is a live configuration change which can alter network behavior, expand device metadata exposure, and violate change-control expectations for a discovery-only workflow.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The document goes beyond topology discovery and recommends corrective actions such as fixing interface state, enabling neighbor protocols, adjusting VLAN assignments, and adding VLANs to trunks. In a skill presented as discovery/read-only, this scope creep is dangerous because an agent or operator may treat change-making guidance as part of normal execution without appropriate safeguards.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The troubleshooting guidance includes operational hardening and corrective recommendations such as enabling LLDP, clearing tables, investigating connected devices, and considering port security. While not overtly malicious, these suggestions exceed passive discovery and may prompt unsanctioned changes in production environments under the guise of troubleshooting.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document explicitly states that all listed commands are read-only, but line 41 includes the JunOS command `set protocols lldp interface all`, which is a configuration command that changes device state by enabling LLDP globally. In an automation or agent context, this mismatch is dangerous because downstream systems or operators may trust the reference as safe-to-execute and unintentionally modify production network devices.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs enabling CDP/LLDP on live devices and interfaces without an explicit warning that this changes configuration. Even relatively small protocol changes can expose topology information, affect compliance posture, and create operational risk if performed automatically or by an inexperienced user following a supposedly read-only procedure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal