ClawHub

Kernelgen Flagos

Security checks across malware telemetry and agentic risk

Overview

This is a real GPU-kernel automation skill, but it needs Review because it can store an MCP token, install packages, edit project code, and optionally publish or share results externally.

Install only if you are comfortable giving this skill repo write access, shell execution, package-install authority, and access to a KernelGen MCP token stored in .mcp.json. Review diffs before accepting generated changes, avoid using it in sensitive repositories unless you disable chat/PR submission, and rotate or remove the MCP token when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (45)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill adds a post-completion capability to prepare or directly send messages via chat platforms, which is outside the core task of kernel generation and optimization. This expands the action surface from local code generation into external communications, creating a risk of unintended data exfiltration, disclosure of repository details, or social-engineering abuse if the generated summary includes sensitive information.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to create branches, commit, push to remote, and open PRs automatically. These are privileged repository-modifying and networked actions beyond kernel generation itself, and they can publish unreviewed or attacker-influenced changes to external hosting services, causing supply-chain, integrity, and data-leak risks.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill includes optional workflows to prepare or send summaries/files through external chat platforms, which is outside the stated kernel-generation scope and creates a data egress path. Even if framed as user-confirmed, this expands the skill from code generation into exfiltration-capable messaging and can leak repository paths, code summaries, benchmark results, or client/project details.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill performs git remote detection, branch creation, push, and PR creation, which exceeds kernel generation and introduces a direct external publication path. This is more dangerous than local file editing because it can disclose generated code and repository metadata to remote services and trigger organizational workflows without a dedicated review boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill's stated purpose is GPU kernel generation/optimization, but it also instructs the agent to prepare external chat messages and perform git branch creation, commit, push, and PR creation. This materially expands the action surface from local code generation into external communication and publication, increasing the chance of unauthorized disclosure or unintended code release.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The instructions authorize using chat tool CLIs/APIs to send generated summaries or files to external messaging platforms, which is unrelated to kernel generation itself. That creates a direct exfiltration path for repository details, code, benchmark data, or customer information to third-party services.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The git workflow directs the agent to create branches, commit, push to remotes, and open PRs on hosting platforms. Even with a confirmation prompt, this extends the skill into publication of code and metadata to external infrastructure, which can leak proprietary code or trigger unauthorized repository changes.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This skill expands beyond kernel generation/optimization into onboarding users to an external service and persisting MCP configuration for future authenticated access. That creates a new trust boundary, introduces credential handling, and can silently enable network-connected capabilities not clearly justified by the advertised skill purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file instructs the agent to collect a bearer token from the user and write it into `.mcp.json`, establishing persistent authenticated access to a remote service. Storing long-lived tokens on disk without strong justification, minimization, or security guidance increases the risk of credential exposure, misuse by other local tools, or unintended future network actions under the user's identity.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is framed as an operator optimization workflow, but it can create conda environments and install packages automatically. That expands its behavior into system modification and network/package-management actions without an explicit consent gate, which is risky in an agent context because it can alter the host unexpectedly and increase supply-chain exposure.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The workflow enumerates local conda environments to discover one containing flag_gems, which is host reconnaissance beyond the minimum needed for kernel optimization. In an agent setting, environment discovery can expose system metadata and installed toolchains, and it occurs without a clear user-facing permission step.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This section authorizes automatic creation of Conda environments and installation of packages from external indexes, which extends beyond optimizing a local kernel and materially changes the user's Python environment. Even if intended to improve usability, it can introduce supply-chain risk, consume resources, alter existing tooling assumptions, and perform networked installs without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill is not limited to optimization of an isolated operator; it proceeds to modify core vLLM source files, tests, and benchmarks across the repository. That broad write scope increases the blast radius of mistakes or abuse, making it possible to silently change production code paths and validation artifacts under the guise of optimization.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill instructs autonomous creation of a Conda environment and installation of packages, which goes beyond kernel optimization into making persistent system changes. This is risky because it executes network-backed package installation and modifies the local development environment without explicit user confirmation, increasing the attack surface and enabling unintended or unsafe dependency changes.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill searches for a local FlagGems repository and installs it in editable mode, which executes packaging logic from local code and links the environment to a mutable source tree. That can run arbitrary build/install hooks or cause future executions to pick up unreviewed local code changes, making this more dangerous than a normal dependency check.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The skill authorizes modifying benchmark code as part of the workflow, even though benchmark files are project source artifacts and such edits may alter evaluation logic or repository state. While lower impact than package installation, silent code modification can mislead users, taint performance results, and introduce unintended changes without review.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The Conda environment scan enumerates environments across the host and probes them by attempting imports, which exceeds the minimum access needed for the stated task. This behavior can disclose local environment names/paths and interacts with unrelated environments, creating unnecessary privacy and operational risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a migration/specialization guide, but it directs the agent to save generated code, copy files, run tests/benchmarks, and generate reports automatically. This expands from advisory behavior into autonomous code modification and command execution in the user's repository, creating risk of unintended writes and execution of untrusted project code.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document mandates shell-based test and benchmark execution as part of the migration flow, including pytest commands run inside the output directory. Running project tests and benchmarks can execute arbitrary repository-controlled code, which is dangerous when done automatically and without clear consent or sandboxing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs the agent to configure MCP by writing tokens and server settings into local configuration files such as claude.json or mcp.json, but it does not prominently warn that this modifies local files or may store sensitive credentials on disk. In an agent skill context, automatic config mutation can have security consequences because it changes trust boundaries and may persist secrets in locations the user does not expect.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README states that the skill can automatically submit a Pull Request and provide the link, but it does not prominently disclose that this performs a remote repository action which may publish code externally. In a coding agent workflow, automatic PR creation can expose sensitive code, create unauthorized changes in a public repo, or trigger CI and policy workflows without sufficiently informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The README says the skill may send modified files to chat applications such as WeChat or Feishu, but it provides no privacy or data-handling warning. This is especially dangerous because code files may contain proprietary source, credentials, tokens, or customer data, and sending them to third-party messaging platforms creates a high risk of unintended data exfiltration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises feedback submission with auto-detected environment information and external transmission via GitHub Issues or email, but it does not clearly disclose what information will be collected and sent. In this skill context, environment metadata can include system details, repository information, paths, and other sensitive context that users may not realize is being transmitted off-host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to place a KernelGen token directly into local MCP client configuration files, but does not warn that this token is a secret or recommend safer storage and handling practices. In an agent-centric workflow, config files are often synced, shared, logged, or committed by mistake, so normalizing plaintext token placement materially increases the chance of credential leakage and downstream unauthorized use of the MCP service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The invocation guidance includes broad natural-language phrases like 'generate an operator', 'create a kernel for X', and 'optimize triton kernel', which are generic enough to overlap with ordinary developer conversation. In a user-invokable skill with powerful file, shell, and code-modifying tools, overly broad triggers can cause accidental activation and unintended execution of a high-impact workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal