ClawHub

Byted Bytehouse Load Analyzer

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a purpose-aligned ByteHouse analysis helper, but users should treat its credentials and generated reports as sensitive.

Install only if you intend to analyze a ByteHouse environment. Use a least-privilege account, avoid pasting passwords into shared shells or logs, and keep generated reports out of public repos, tickets, and broad support bundles unless reviewed or redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities that access environment variables, write files, and use an MCP server, but it does not declare permissions or boundaries for those actions. In a security-sensitive agent environment, undeclared capability use weakens reviewability and can lead to overbroad access to credentials and operational data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly states that multiple analysis reports are written to disk, but it does not warn users that those files may contain sensitive cluster topology, resource usage, table activity, and query-related metadata. In an operational environment, such artifacts can be collected by other local users, backup systems, CI logs, or support bundles, causing unintended information disclosure even if the tool itself is functioning as designed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to export BYTEHOUSE_PASSWORD and other connection settings without any warning about secret handling, shell history exposure, log leakage, or least-privilege credential use. Because this skill analyzes a production-like data platform, mishandling these credentials could expose direct access to ByteHouse infrastructure and data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that multiple analysis reports are written to an output directory but does not warn that those reports may contain sensitive operational metadata such as cluster names, resource utilization, access patterns, and bottleneck details. Such artifacts can materially aid reconnaissance, capacity mapping, or targeted attacks if stored insecurely or shared broadly.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal