Back to skill

Security audit

ict

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Claw skill auditing tool, though it has a silent update check and bundled vulnerability samples users should understand.

Install only if you are comfortable with a local scanner reading the skill folders you point it at, and note that running ict.py currently contacts api.clawhub.ai for an update check. Avoid manually executing bundled test sample files; they are meant as vulnerable examples for detection.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares no permissions in metadata while the accompanying analysis indicates capabilities such as file access, environment access, network use, and shell execution. For a security auditing tool, these capabilities may be functionally justified, but failing to declare them reduces transparency and undermines informed consent and sandboxing decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose presents the skill as a benign scanner for dangerous patterns, but the analyzed behavior expands into outbound update checks, persistent local storage, secret scanning, git subprocess usage, and custom rule loading. This mismatch is dangerous because users may invoke the tool without understanding it can access sensitive config files, persist data, and contact external services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The tool is presented as a local security auditor, but it performs an automatic outbound request to a third-party service during normal execution. Even if used only for version checks, this creates an undeclared network dependency and can leak usage metadata in a context where users reasonably expect fully local analysis.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic outbound update checking is not necessary for the core function of scanning local files, so it expands the skill's capability beyond its stated purpose. In a security tool, this mismatch is more dangerous because users may run it on sensitive systems expecting no external communication.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file contains real executable capabilities unrelated to a static audit tool, including database querying, reading /etc/shadow, and starting an HTTP listener. Even if presented as examples, these are active behaviors that expand the attack surface and can cause unauthorized data access or unexpected service exposure if invoked.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Opening /etc/shadow attempts access to a highly sensitive system credential file and is unjustified for a code-auditing skill. If successful, it could expose password hashes or encourage credential-access behavior on host systems.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Starting an HTTP server is unrelated to static code auditing and creates an unnecessary network-facing service. If invoked, it can expose the process to unintended connections, port conflicts, and future abuse if handlers are added.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment says the code is a risk example, but the function still performs a real sensitive file open on /etc/shadow. Labeling dangerous behavior as a demo does not reduce risk when the operation remains executable.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Although described as an insecure HTTP example, the code actually starts a live listener on port 80. Real network behavior in a demonstration sample is still dangerous because it can expose a service unexpectedly.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The update check sends an HTTP request with a User-Agent and the user's IP/network metadata is inherently exposed to the remote service, yet there is no user-facing disclosure or consent. This is a transparency and privacy issue rather than a direct code-execution flaw, but it is still relevant for a local auditor handling potentially sensitive environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Sensitive file access occurs without any user disclosure or consent flow, increasing the chance of silent access to credential material. For a security audit skill, undisclosed host file access is especially risky because users would not expect it.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The code starts a network service without warning the user, which can surprise operators and expose local ports. While the current handler is nil, undisclosed service startup is still an unnecessary and risky side effect.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
ast_analyzer.py:291

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
ast_analyzer.py:286

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
false_positive_filter.py:141

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
sensitive_info_scanner.py:339

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test_samples/go_lang/test.go:25

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test_samples/java_lang/VulnerableCode.java:6

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:94