ClawHub

My System Info Skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises by creating a local system report, but the report can contain sensitive machine details that should not be shared casually.

Install only where local system diagnostics are appropriate. Treat generated reports as sensitive because they may include hostnames, usernames, IP addresses, disk layout, running processes, and active services; review and redact them before sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script performs broad host enumeration, including hostname, OS details, kernel version, CPU, memory, disks, network interfaces, running processes, and active services, then consolidates it into a report. Even if intended for diagnostics, this creates a sensitive reconnaissance artifact that can expose attack surface and operational details if accessed by an unauthorized user or generated in an untrusted context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states it will automatically generate and save a system report containing host, OS, user, network, process, disk, and service information, but it does not warn that this data may be sensitive. In an agent context, silently collecting and persisting this inventory can expose internal environment details useful for reconnaissance, especially on shared or production systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes detailed system information to a persistent markdown file without warning the user that the contents may include sensitive infrastructure data. This increases the risk of accidental disclosure through shared directories, backups, logs, or later reuse of the generated report.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal