ClawHub

Linux Omniscient

Security checks across malware telemetry and agentic risk

Overview

This skill openly aims to control a Linux desktop and connected devices, but it gives very broad authority with weak or missing safeguards for sensitive actions.

Install only if you intentionally want an agent to operate your Linux desktop and connected devices with very high authority. Supervise every action, require explicit confirmation before screen capture/OCR, camera or microphone use, GUI clicking or typing, process kills, power actions, network/DNS/proxy changes, printer cancellation, Bluetooth/serial actions, and Home Assistant commands. Avoid passing long-lived tokens or passwords in chat or command-line arguments, and do not use this on a machine with sensitive open sessions unless you can closely monitor it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (28)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["PYTHONIOENCODING"] = "utf-8"

    try:
        result = subprocess.run(
            cmd_str,
            capture_output=True,
            text=True,
Confidence
99% confidence
Finding
result = subprocess.run( cmd_str, capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout,

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares broad execution capabilities including shell, network, environment access, and file writes, but does not declare permissions or present a permission model to constrain them. This makes the skill harder to audit and allows high-risk actions to be invoked under a vague 'omniscient' umbrella, increasing the chance of silent system modification or data exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill description markets itself as a universal capability suite, but the documented behaviors extend into additional system-administration and control functions such as network adapter management, proxy changes, process termination, power actions, and input/window control. This mismatch obscures the true attack surface and can mislead users into enabling a skill with broader and more dangerous reach than they reasonably expect.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The docstring states confirmation is required before disabling a network adapter, but the function immediately executes `ip link set <name> down`. In an agent skill with broad system-control scope, this mismatch can cause unexpected loss of connectivity, denial of service, or self-disconnection of the controlling session without any user checkpoint.

Vague Triggers

High
Confidence
97% confidence
Finding
The phrase 'applicable to any task, without exception' creates an extremely broad trigger surface that can cause the skill to activate on unrelated everyday requests. In a skill with command execution, device control, and orchestration, overbroad applicability materially increases the risk of unintended privileged actions being selected automatically.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The router says that once the skill is loaded it will automatically classify and handle many task types, but it does not define boundaries, safe defaults, or when not to act. Automatic routing is especially risky here because the skill spans cognition, code execution, and system control, so benign prompts may be escalated into tool use without sufficiently explicit user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill exposes sensitive capabilities such as screenshots, OCR, recording, camera access, HTTP calls, and GUI automation without a consolidated privacy warning or clear disclosure of what data may be captured, transmitted, or persisted. In combination, these features can collect highly sensitive user information from the screen, microphone, camera, local apps, and external services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The execution framework explicitly allows file operations, arbitrary HTTP requests, and command execution, but does not warn users about file modification, data upload, credential exposure, or remote interaction risks. This omission can cause users to authorize actions without understanding that local data may be altered or transmitted externally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes microphone recording capability without any notice, consent guidance, or safeguards. In a skill explicitly marketed as universally applicable and highly privileged, this increases the risk of covert audio capture and privacy violations, especially if an agent invokes recording without making the action obvious to the user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference documents sending Home Assistant tokens and arbitrary HTTP control data without warning about credential exposure, network egress, or control of external devices. Given this skill's broad orchestration and system-control framing, these commands could enable unauthorized device manipulation, secret leakage, or unsafe outbound actions if invoked carelessly or by prompt injection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Camera capture is documented without any warning that it activates a sensor and stores images to disk. In the context of an omnipotent automation skill, that omission materially raises the risk of covert image capture, collection of sensitive environmental data, and unnoticed persistence of photos.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Screenshot, OCR, and GUI automation can capture credentials, personal data, confidential documents, and can also interact with security-sensitive UI elements. Because this skill is designed for broad autonomous orchestration across the desktop, failing to warn or gate these actions makes the capability substantially more dangerous and easier to misuse for surveillance or unauthorized actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script can initiate microphone recording and write captured audio to disk immediately, with no user-facing notice, consent check, or confirmation prompt. In the context of an 'omniscient' skill explicitly designed for broad system control and arbitrary task execution, this creates a meaningful privacy risk because it enables covert local audio capture and persistence of sensitive conversations.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The script exposes Bluetooth scanning, service discovery, and connection primitives with no consent prompt, authorization check, or user-facing warning about nearby-device enumeration and remote device interaction. In the context of an 'omniscient' skill explicitly designed for broad system control and arbitrary task execution, these capabilities materially increase the risk of covert device reconnaissance and unintended interaction with nearby Bluetooth targets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code captures an image from the default camera and writes it to disk without any consent prompt, notification, authorization check, or audit trail. In the context of an 'omniscient' skill explicitly designed for broad system control and usable for any task, this materially increases the risk of covert surveillance and unauthorized collection of sensitive visual data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function captures the entire screen and writes the image to /tmp without explicit consent, warning, retention controls, or access restrictions. Screenshots can contain secrets such as passwords, tokens, messages, or confidential documents, and storing them on disk increases the chance of unintended disclosure to other local processes or users depending on system configuration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OCR routine silently captures the current screen and extracts text, which can expose sensitive data from emails, chats, terminals, password managers, or internal documents. In the context of an 'omniscient' skill with broad system-control ambitions, this materially increases surveillance and data-harvesting risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This routine both inspects the screen and performs automated clicks based on image matching, enabling hidden UI manipulation such as approving prompts, changing settings, initiating transactions, or interacting with privileged applications. Within a skill explicitly designed for broad device and GUI control, the combination of screen inspection and synthesized input substantially raises the risk of unauthorized actions and covert abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script exposes suspend, hibernate, shutdown, and restart operations directly from CLI subcommands without any interactive confirmation, authorization check, or safety gate. In the context of an 'omniscient' skill intended for broad autonomous use and system control, this increases the likelihood that an agent, prompt injection, or mistaken invocation can disrupt availability, terminate user work, or cause data loss from unsaved state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Home Assistant access token is accepted via a command-line argument and then transmitted in an Authorization header. Command-line secrets are commonly exposed through shell history, process listings, audit logs, and orchestration tooling, which can lead to credential theft and unauthorized control of connected devices; in the context of this broadly capable skill, that increases operational risk.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The WiFi password is accepted as a CLI argument and passed to a subprocess, which can expose the secret through shell history, process listings, agent logs, telemetry, or error traces. In this skill's high-privilege orchestration context, handling credentials this way increases the chance of credential leakage beyond the immediate connection attempt.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function claims confirmation is required before setting proxy values but modifies environment variables immediately. In the context of an omnipotent automation skill, silent proxy changes can reroute traffic through attacker-controlled infrastructure, enabling interception, traffic manipulation, or operational outage for downstream tools that inherit the environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cancel command can delete print jobs, and when no job ID is supplied it invokes `cancel -a`, which attempts to cancel all jobs without any confirmation, authorization check, or safeguard. In this skill's broader context of unrestricted system control and automation, an LLM or chained workflow could trigger mass job cancellation unintentionally or abusively, causing denial of service and operational disruption.

Missing User Warnings

High
Confidence
92% confidence
Finding
The function can terminate arbitrary processes by name or PID, including forceful SIGKILL, with no confirmation, authorization checks, allowlist, or safety guardrails. In the context of an 'omniscient' skill explicitly designed for broad system control and orchestration, this materially increases the risk of misuse for denial of service, disruption of security tools, or destruction of user work.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code launches arbitrary subprocesses from user-controlled input with no validation, policy enforcement, sandboxing, or warning. Within a skill whose stated purpose is unrestricted execution and system control, this is especially dangerous because it enables the agent to run attacker-chosen commands on the host, potentially leading to full system compromise depending on the runtime privileges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal