ClawHub

Cogniexec

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad automation toolkit with disclosed but high-impact command, file, network, email, clipboard, and data-processing powers that are not scoped tightly enough for default trust.

Install only if you intentionally want a powerful local automation skill. Use it in a sandbox or narrow working directory, review commands before execution, avoid untrusted data expressions, do not rely on its Base64/XOR or ZIP password handling for encryption, keep secrets out of the environment when generating .env files, and be careful with email, HTTP debug, clipboard monitoring, network scans, and bulk file operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

eval() call detected

High
Category
Dangerous Code Execution
Content
# 处理字符串中的引号
        try:
            result = eval(expr, safe_dict)
            return result
        except Exception as e:
            raise ValueError(f'表达式解析失败: {expr} → {e}')
Confidence
99% confidence
Finding
result = eval(expr, safe_dict)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation claims AES encryption/decryption support, but the implementation only provides Base64 encoding and XOR obfuscation, which are not equivalent to secure encryption. In a crypto utility used by an execution-capable agent skill, this can mislead users or downstream automation into storing or transmitting sensitive data under the false assumption it is strongly encrypted.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file claims to provide a 'safe sandbox' and 'safe evaluation' while internally relying on eval(). This misleading safety framing increases the likelihood that integrators, operators, or downstream agents will trust untrusted expressions and expose the feature in automation pipelines, amplifying exploitation risk. The issue is not just documentation mismatch: it can directly cause unsafe deployment decisions around a code-execution primitive.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The tool presents itself as a general data processor, but it accepts and executes arbitrary-looking expressions for filtering and transformation. That capability materially expands the attack surface beyond normal data handling into code-evaluation territory, which is especially dangerous in a skill whose broader metadata mentions command execution and orchestration. This mismatch can cause users to supply attacker-controlled expressions believing they are only performing data operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
User-supplied expressions from CLI arguments flow into the evaluator for both filtering and transformation, creating a direct untrusted-input-to-eval path. In agent or automation contexts, these arguments may be influenced by prompts, external data, or upstream users, so the exposed evaluation feature can become a remote code execution primitive. Because this skill is intended for cognition and code-execution workflows, the surrounding context makes such a primitive more dangerous, not less.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This file adds a full email-sending capability, including attachments, bulk sending, templates, and SMTP connectivity, which is materially outside the stated cognition/code-execution scope. In an agent skill, undeclared outbound communication is dangerous because it enables data exfiltration, spam/phishing, or covert operator-controlled messaging without users expecting that capability.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code consumes SMTP credentials and configuration from arguments/environment and uses them to perform authenticated outbound network communication. In a skill whose manifest does not disclose email delivery, this creates a hidden exfiltration and impersonation channel that could be abused to send sensitive data externally or act on behalf of the configured sender.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The SMTP test command performs network probing and optional authentication against arbitrary hosts, which is an undeclared network-diagnostic capability. Even if intended for troubleshooting, hidden connectivity testing broadens the skill's attack surface and can be repurposed for recon against internal or external infrastructure.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
`cmd_sync` is labeled as a preview operation, but when `dry_run` is disabled it performs real bidirectional copies and optional deletions. In an agent skill context with code-execution capabilities, misleading semantics around a destructive file operation materially increase the risk of unintended data modification or loss.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`cmd_batch_replace` writes file changes during traversal before presenting the promised replacement summary, so users do not get a chance to review or approve modifications beforehand. In a skill intended for autonomous execution, this can cause immediate bulk corruption of source files or configuration data from a mistaken pattern or regex.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generate-env command copies values from the current process environment into a newly written .env file based on matching template keys. This can persist secrets such as API keys, tokens, or passwords to disk without an explicit safety prompt, increasing the chance of accidental disclosure through file sharing, backups, logs, or source control.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file implements a full standalone network reconnaissance utility, including ping, DNS lookup, traceroute, port probing, HTTP checks, and speed tests, which materially exceeds the declared skill purpose of cognition and code execution. In an agent skill context, capability drift matters because it quietly adds network discovery and external communication primitives that can be chained for unauthorized environment mapping or data egress.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The port command performs active TCP port scanning against arbitrary hosts and port ranges, which is a classic reconnaissance capability frequently used before exploitation. In this skill context, that functionality is especially risky because it is unrelated to the stated purpose and could be abused by an agent to probe internal or external networks without clear user authorization.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The traceroute implementation and raw-socket probing provide network path discovery and low-level packet capabilities that can reveal internal topology and support reconnaissance. In an agent environment, these primitives are more dangerous than ordinary diagnostics because they enable stealthier infrastructure mapping and may require elevated privileges, increasing abuse potential.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises code execution, file operations, HTTP requests, and system tooling without a clear consolidated warning about privacy, data exposure, persistence, or system impact. In a skill designed for autonomous orchestration, this omission increases the chance that users trigger sensitive actions without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prebuilt script library includes sensitive functions such as clipboard access, SMTP email, database manipulation, file management, archiving, and network diagnostics, but there is no unified safety policy governing when these may be used. Because the skill also supports free-form orchestration, these capabilities materially increase the risk of data exfiltration, unwanted persistence, or destructive bulk actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The gzip command removes the original input file by default unless --keep is provided, which makes the destructive behavior implicit and easy to trigger accidentally. In an agent-execution skill context, this is more dangerous because automated callers may invoke compression without realizing it causes data loss, potentially deleting important source files after a failed or misunderstood workflow.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The watch functionality automatically prints newly copied clipboard text to stdout, which can expose passwords, tokens, API keys, personal data, or other sensitive content to terminals, shell history captures, screen recordings, or centralized logs. In an agent skill focused on cognition and code execution, this becomes more dangerous because clipboard scraping/observation can be chained with automation and used to capture secrets without strong user awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The password-generation path prints generated passwords directly to stdout without warning, masking, or safer handling options. In an agent skill focused on code execution and automation, stdout is commonly logged, captured, or forwarded, which increases the chance that generated credentials are exposed to operators, logs, or other tools.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The HMAC command takes key material via command-line arguments and prints signatures directly, with no warning that command-line arguments may be visible via shell history, process listings, or orchestration logs. In this skill's execution-oriented context, such exposure is more dangerous because commands are likely to be automated, recorded, and replayed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The token-generation command emits raw secret tokens to stdout by default, which can leak API keys or bearer tokens into terminal history, CI logs, agent transcripts, or other monitoring systems. Because this skill is intended for automated execution chains, plaintext secret exposure is materially more likely than in an interactive local-only tool.

Missing User Warnings

High
Confidence
98% confidence
Finding
The batch replacement logic performs in-place writes before any warning or confirmation is shown, which is unsafe for a bulk-edit command. A bad search string, regex, or scope filter can silently rewrite many files before the user sees the impact, leading to integrity loss and difficult recovery.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads environment variables and writes them into a generated .env file with no explicit warning that sensitive process secrets may be copied to disk. In an agent skill focused on code execution and automation, this is more dangerous because automated workflows may invoke it non-interactively and unknowingly materialize secrets into workspace files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The debug command prints request headers and response bodies directly to stdout without redaction. In this HTTP client context, that can expose bearer tokens, cookies, API keys, session identifiers, and sensitive response data into terminals, shell history captures, CI logs, or shared transcripts, creating a real confidentiality risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Several image-processing commands write output back to the source file when no output directory is provided, causing irreversible modification of user data. In an agent-execution skill, this is more dangerous because automation may invoke these commands on large directories non-interactively, leading to unexpected bulk data loss or corruption.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal