ClawHub

Industrial Silicon Army

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate manufacturing AI assistant, but it needs Review because it asks for sensitive business/API access while giving inconsistent data-sharing and scope information.

Install only after confirming which APIs will receive your prompts and business data. Use least-privilege keys, avoid production ERP/CRM/OAuth credentials at first, keep purchasing/payment/account changes behind human approval, and treat financial, customer-credit, compliance, and supplier outputs as advisory until the publisher clarifies data flows and authorization controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The top-level description presents the skill as focused on manufacturing operations, MES, supply chain, predictive maintenance, and quality control, but the body expands into sales, pricing, customer management, finance, compliance, policy, and market intelligence functions. This scope expansion can cause users or hosts to invoke the skill under narrower trust assumptions than its actual behavior warrants, increasing the risk of inappropriate data exposure and over-privileged use.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file claims that all business data is processed locally and not uploaded to third-party servers, yet it also declares OpenAI API usage for agent reasoning and content generation. Those calls necessarily send prompts and business context off-box, so the privacy statement is materially misleading and may cause operators to expose sensitive operational or commercial data under false assumptions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation says API keys are not sent to third parties, but authentication to external APIs necessarily transmits credentials or credential-derived tokens to those providers. This is misleading security documentation that can cause unsafe deployment decisions and incorrect compliance attestations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The /api/v1/agents endpoint documentation says it omits realtime invocation statistics, but it returns invoked_count and total_tokens for every agent via _safe_agent_info. This is an information disclosure and integrity-of-interface issue: clients may receive operational telemetry that was not intended for broad exposure, which can aid profiling or abuse planning.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The execute endpoint claims task content is not logged, but on exceptions it logs the exception text and returns str(exc) to the client. If downstream components include user task text, prompts, credentials, stack fragments, or vendor error payloads in exception messages, sensitive data can leak to logs and API callers, undermining the stated privacy boundary.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The agent definitions materially expand the skill from manufacturing operations into sales, finance, contract, tax, and strategic planning functions that are not clearly bounded by the manifest scope. This increases the chance of unintended activation, over-collection of sensitive business data, and users receiving advice in higher-risk domains without explicit authorization or safeguards.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README encourages execution of tasks that may interact with ERP/MES/WMS/CRM systems and process enterprise operational data, but it does not warn users about possible downstream actions, data exposure, or the need for environment scoping and access controls. In an industrial setting, users may submit sensitive production, supplier, pricing, or compliance data and assume the platform is advisory-only, increasing the risk of unintended disclosure or operational impact.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is broad and includes common manufacturing and business phrases such as inventory management, customer follow-up, and factory management. Overbroad invocation criteria can cause the skill to activate in conversations that were not meant to engage external APIs or specialized business workflows, increasing the chance of unintended data handling and excessive automation scope.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The inline guidance uses vague 'Use when' and 'Trigger on' language without precise boundaries, so the host may invoke the skill for loosely related manufacturing discussions. In a skill that references ERP/MES/WMS/CRM data and external APIs, ambiguous activation rules increase the risk of misrouting sensitive business prompts into a broader-capability agent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill defines very broad keyword-to-agent routing rules using common business terms such as '生产', '客户', '采购', '合规', and '运营'. In a multi-skill environment, this can cause unintended invocation on ordinary enterprise conversations, leading to over-collection of user context, incorrect task routing, or execution of actions the user did not explicitly request.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The file defines many broad keywords across multiple domains without activation constraints, exclusions, or disambiguation logic. In practice, this can cause the skill to trigger on loosely related prompts and route users into powerful business-function agents that may handle sensitive procurement, contract, financial, or operational topics inappropriately.

Ssd 2

Medium
Confidence
97% confidence
Finding
The changelog explicitly states that terms like 'query/monitor/track/sync' were replaced with softer wording such as 'generate/suggest/reference/plan' and that sensitive API descriptions had verbs like 'fetch', 'collect', and 'sync' removed to address scanner findings. This is dangerous because it indicates deliberate concealment of operational capabilities from reviewers and security tooling rather than removing the underlying behavior, which increases the likelihood of undisclosed data access or external-system interaction in an industrial environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal