ClawHub

AIOZ Storage Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is genuinely for deploying AIOZ static websites, but it asks the agent to handle account passwords, bucket seed phrases, root keys, and non-expiring grants in ways users should review carefully.

Install only if you are comfortable giving this workflow high-impact access to your AIOZ Storage account and bucket secrets. Prefer handling login and seed-phrase steps yourself, avoid putting passwords or seed phrases in chat, shell history, process arguments, or /tmp files, use short-lived per-bucket grants, and avoid all-buckets or delete permissions unless you explicitly need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill performs multiple network operations against external AIOZ endpoints but does not declare that capability in its metadata. Hidden or undeclared network access reduces transparency for users and policy systems, making it easier for sensitive data collection and exfiltration to occur without appropriate scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The stated purpose is website deployment, but the documented behavior also includes generation of root zkeys, derivation of grants from a bucket seed phrase, and credential registration flows. That gap matters because these are high-sensitivity authorization and cryptographic operations, and users may not realize the skill handles recovery material and produces long-lived access artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs collection and transmission of the user's AIOZ email and password to a remote login API without an explicit warning about handling account credentials. This creates phishing-like risk and increases the chance that credentials are exposed in prompts, logs, shell history, transcripts, or intermediary tooling.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill asks for a 12-word bucket seed phrase and then uses it directly in command-line arguments to derive grants. A seed phrase is highly sensitive recovery material; exposing it in plaintext can permanently compromise bucket confidentiality and control through logs, process listings, shell history, temp files, or agent transcripts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The alternative flow writes JSON config files containing root zkeys, account IDs, bucket names, passphrases, and permissions into /tmp. Temporary directories are prone to accidental persistence, backup, broader local visibility, and forensic recovery, so this materially increases exposure of secrets beyond the immediate command execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI explicitly encourages users to supply highly sensitive material such as root ZKeys and passphrases via command-line flags. On many systems, command-line arguments can be exposed through shell history, process listings, audit logs, CI job logs, and crash reports, which can leak credentials to other local users or operators. In this skill's context, those secrets are grant-generation inputs, so disclosure could enable unauthorized access or delegation over AIOZ storage resources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal