ClawHub

Sre Publish

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: reads AWS monitoring and cost data, uses Bedrock for incident summaries, and sends the report to Telegram.

Install only if you want AWS operational and cost data sent to a configured Telegram chat and, for incidents, summarized by Bedrock. Use least-privilege IAM, a private Telegram destination, a dedicated bot token, and avoid placing secrets, PII, or customer payloads in DLQ messages that may be sampled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill clearly uses sensitive environment variables and external networked services (AWS APIs, Bedrock, Telegram), yet the finding indicates no declared permissions despite those capabilities. This creates a transparency and governance gap: users or hosting systems may not realize the skill can access credentials and exfiltrate operational data to Telegram, increasing the risk of unintended data disclosure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly states that AWS health, incident, and cost data will be sent to Telegram, a third-party messaging platform, but provides no warning about data sensitivity, retention, chat exposure, or secure handling of bot credentials. In this skill context, operational telemetry, cost data, DLQ-derived incident details, and Bedrock-generated diagnoses may contain sensitive business or infrastructure information, so omission of privacy and data-handling guidance increases the risk of unintended disclosure.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation language is broad enough to match routine requests like infrastructure status or AWS cost overview, which can cause the skill to trigger in situations the user did not specifically intend. Because this skill reads cloud telemetry and sends a structured report to Telegram, overbroad invocation raises the chance of unauthorized or surprising disclosure of operational data to an external chat destination.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description emphasizes AWS health checks and diagnostics but does not prominently warn that the output is transmitted to Telegram using configured bot and chat credentials. This is dangerous because users may assume the report remains local or within AWS, while in reality incident details, cost data, DLQ samples, and other operational context may be sent to a third-party messaging platform.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends incident context to Bedrock, including DLQ message samples, queue URLs, region, and Lambda failure details, without any minimization, redaction, or consent gate. DLQ samples can contain sensitive payloads, customer data, secrets, or internal identifiers, so forwarding them to an external managed model service can create unnecessary data exposure and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal