ClawHub

Builtin Tools

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed utility bundle, but it gives an agent broad shell, file, network, install, memory, and automation powers without enough built-in limits or confirmations.

Install only if you intentionally want an agent to have broad local-tool authority. Treat shell command mode, recursive deletion, arbitrary file writes, runtime downloads, browser opening, memory storage, and automation generation as privileged actions; use them with explicit approval and strict workspace, host, and path limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ["/bin/sh", "-c", full_script]

    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
97% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = ["/bin/sh", "-c", command]

    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout,

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The tool lets the caller override the persistent memory root via the memory_dir parameter, which breaks the expected confinement of a memory store and allows reads/writes/listing in arbitrary filesystem locations. In this skill context, the tool is explicitly positioned as a general-purpose agent utility, so exposing directory selection materially increases the chance that other actions operate on unintended or sensitive paths.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The read action joins a user-controlled file value directly with memory_path and does not validate that the resulting path remains inside the intended directory. An attacker can supply traversal such as ../ or an absolute path, causing arbitrary file reads; because memory_dir is also caller-controlled, this becomes even easier and more dangerous in this toolset.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function is an explicit shell-execution helper that runs arbitrary commands with no built-in policy checks, confirmation, or allowlist. In an agent skill, that is dangerous because higher-level callers can unknowingly or automatically trigger destructive commands, downloads, exfiltration, or persistence actions across the host OS.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script performs irreversible file and directory deletion, including recursive directory removal via shutil.rmtree(), without any built-in confirmation, dry-run mode, or policy restriction beyond a few hardcoded path checks. In an agent/tooling context, this is dangerous because a mistaken, manipulated, or adversarially supplied path can cause destructive data loss across the accessible filesystem.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill exposes unrestricted shell execution with no warning, confirmation, or trust boundary enforcement. In an agent environment, lack of user-facing confirmation is not merely UX debt: it materially increases the chance that prompt-influenced or indirect input triggers destructive or data-accessing commands without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function copies the full process environment and allows arbitrary caller-supplied environment overrides to be passed into subprocesses. This can expose sensitive tokens to child processes and can alter process behavior in security-relevant ways, such as changing credentials, proxies, or execution context, without any disclosure or restriction.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Opening arbitrary URLs or file paths via the system browser can launch external handlers, access local files, or trigger other registered applications. In an agent skill, doing this without confirmation can be abused for phishing, unwanted network access, or opening sensitive local resources.

Missing User Warnings

Low
Confidence
88% confidence
Finding
This script opens a URL in the user's browser immediately, with no confirmation, disclosure, or allowlist. In an agent/tooling context, that can trigger unintended outbound navigation or local file handling via file:// URLs, which is risky because the action has side effects outside the tool and may expose the user to phishing, tracking, or opening sensitive local resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal