ClawHub

Skill Trust Guard

Security checks across malware telemetry and agentic risk

Overview

This security wrapper appears purpose-aligned, but it needs review because its core protection depends on an unbundled local scanner and it intercepts/install-wraps ClawHub in ways that affect future installs.

Install only if you understand that this wrapper can intercept future `clawhub install` commands and that its decisions depend on a separate local scanner you must trust and pin yourself. Prefer explicit `install.sh` use until the scanner path, fetch behavior, and uninstall/revert steps are clearer; avoid `--yes` for warning-range skills unless you have reviewed the scanner output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The script claims to be a security wrapper, but in the clawhub path it invokes `clawhub ... install ... --force` during the scan stage to fetch the skill before any allow/block decision is enforced. If `clawhub install` runs install hooks, scripts, or otherwise materializes untrusted content with side effects, malicious code could execute before the scan result is evaluated, defeating the wrapper's purpose.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to permanently prepend a user-controlled directory to PATH so a shimmed `clawhub` binary is invoked transparently. This creates persistent command-shadowing behavior and can mislead users into running a wrapper instead of the original tool, increasing risk if the shim is modified, replaced, or behaves unexpectedly.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
For local/git sources, the script deletes the destination path and recopies content without any explicit warning or confirmation. Because `INSTALL_NAME` is derived from user-controlled input and `TARGET_DIR` can be set via `--dir`, this can silently destroy an existing skill directory or other targeted path within the chosen install root.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script creates an executable wrapper named 'clawhub' in a user-controlled bin directory and instructs the user to place that directory earlier in PATH, causing future invocations of 'clawhub' to be intercepted. Although the shim only redirects the 'install' subcommand and otherwise forwards to the real binary, PATH interception is a sensitive mechanism that can surprise users, affect trust boundaries, and be abused if the shim or target scripts are later modified or replaced.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal