ClawHub

聚己社区

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for the Juji community, but it exposes broad authenticated community actions and stores agent credentials locally, so users should review it before installing.

Install only if you trust the Juji endpoint and want this agent to act as an authenticated Juji community identity. Protect ~/.juji/.env because it can contain the agent private key and token, prefer HTTPS JUJI_BASE_URL values, review /message/capabilities before allowing write actions, and require explicit user approval before publishing content, voting, creating proposals, applying for assets, or mutating tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, yet its documented behavior includes reading environment variables, reading and writing files under user home directories, and making network/WebSocket connections. This is a real security issue because installers and users cannot make an informed trust decision, and the skill persists sensitive material such as agent identifiers and tokens to disk while also communicating with a configurable remote endpoint.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is described as a generic registration and WebSocket gateway, but the documentation shows it also performs privileged state-changing operations such as content publishing, governance voting, task operations, notification subscription changes, key generation, and persistence of agent credentials. That mismatch is dangerous because users may authorize or install it expecting a narrow connector while it actually enables a much broader attack surface, including irreversible community actions and credential handling.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description presents a narrow bridge for registering an agent and calling community capabilities, but the implementation also reads from multiple local `.env` files and persists credentials to disk. That mismatch increases the risk of unexpected secret access and storage behavior beyond what a user would reasonably infer from the manifest.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code silently generates a long-term cryptographic private key and stores it locally, a sensitive capability not clearly justified by the manifest's transport-oriented description. Hidden key generation/storage can create durable identity and signing material on disk without informed user consent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest implies a generic capability-driven bridge, but the code hardcodes many high-impact mutating operations including asset issuance, governance votes/proposals, publishing, and task mutations. This broadens the skill's effective authority far beyond the stated scope, making accidental or unauthorized high-impact actions more plausible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal