ClawHub

mobile app builder with live link, publishes to app store, create ai apps

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real LaunchPulse app-building skill, but it gives an agent broad live deployment, database, domain, billing, and secret-handling powers that users should review carefully.

Install only if you trust LaunchPulse with your projects and any credentials you provide. Use the default API unless you control the override, protect or clear the stored auth token, review JSON files before sending them, and require explicit user approval before running deploy, store publish, domain purchase/register/map, database SQL, billing, env-file, or payment-secret commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The CLI exposes a much broader control surface than the skill description suggests, including billing changes, deployment, domain operations, database access, storage, and environment management. In an agent-skill context, this capability mismatch increases the chance that a caller invokes sensitive operations without understanding the risk boundary, enabling over-privileged actions beyond simple app generation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The `db query` command accepts arbitrary SQL and forwards it to the backend, which can enable destructive reads/writes if the backend honors the request. This is especially risky because arbitrary database querying is not necessary for the stated purpose of building apps from a text description, so the skill grants materially broader power than users would expect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The domain management commands can search, purchase, register, verify, and map domains, which goes beyond app generation and into external account and infrastructure control. In an agent setting this increases the blast radius: a mistaken or malicious invocation could incur cost, change ownership-related state, or alter production routing.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The deploy commands can trigger live deployments and, for Fly deployments, collect and transmit third-party credentials to the remote API. This exceeds the advertised quick-start build role and creates a path for accidental production changes or credential exposure through an agent interface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The env-file save functionality can upload arbitrary key/value pairs, including secrets, to a remote service and modify project environment files. Because secret and environment management is highly sensitive and not central to the stated app-generation purpose, this materially elevates risk of credential leakage and unsafe project modification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly stores a personal access token in a predictable local path, but does not present any warning about the security implications of local credential persistence. On shared or weakly secured systems, this increases the risk of credential theft and subsequent unauthorized access to the LaunchPulse account and related project operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes powerful production actions including deploys, database queries, domain operations, environment file writes, and payment configuration, but the documentation does not provide a consolidated warning that these commands can make real external changes. In an agent-driven context, this can lead to unintended modification of infrastructure, secrets, billing, or customer-facing services without sufficient user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The device login token is persisted to `auth.json` on disk without any visible permission hardening or explicit disclosure to the user that a bearer token is being stored locally. Local token persistence increases the risk of credential theft from other local users, malware, backups, or misconfigured home-directory permissions.

Missing User Warnings

High
Confidence
99% confidence
Finding
For Fly deployment, the CLI collects GitHub and Fly API credentials and sends them to the LaunchPulse backend, giving that service visibility into highly privileged third-party tokens. Even if intended for convenience, relaying long-lived secrets through an intermediary service significantly increases exposure risk if the service, logs, or transport handling are compromised.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The domain provisioning command may include a Fly API token in the request body to the remote API without prominent disclosure. Passing infrastructure credentials to an intermediary service broadens exposure and may allow unintended infrastructure changes if mishandled.

Missing User Warnings

High
Confidence
100% confidence
Finding
The domain status command places `flyApiToken` into URL query parameters, which are commonly logged by proxies, servers, browser history, and monitoring systems. Secrets in URLs are significantly easier to leak than secrets in headers or secure bodies, making this a concrete credential exposure flaw.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The env-file save operation can upload variables from a JSON file, including inferred secrets, to a remote service without a prominent warning that sensitive values are leaving the local environment. This creates a meaningful risk of unintentional exfiltration of API keys, tokens, and passwords through routine CLI use.

Missing User Warnings

High
Confidence
99% confidence
Finding
The payments setup flow collects Stripe and RevenueCat secrets, uploads them to the remote service, and saves them into project env files. Payment-provider credentials are highly sensitive; compromise could enable fraudulent billing actions, API abuse, or downstream account takeover, so transmitting them via a general-purpose agent skill is particularly dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal