ClawHub

lorax

Security checks across malware telemetry and agentic risk

Overview

This documentation-only Lorax skill matches its image-building purpose, but it includes unsafe copy-paste examples that could create images with a trivial root password or erase disks during installation.

Review before installing or using. Do not copy the sample Kickstart as-is: lock the root account or use a strong hashed password, and treat `clearpart --all` as destructive because it can erase target disks during installation. Verify cleanup paths before running deletion commands and use a disposable build host or VM for image-building workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document’s best-practice section recommends strong security hygiene, but the Kickstart example elsewhere uses `rootpw --plaintext password`, creating contradictory guidance that can normalize insecure defaults. In a system-image-building skill, examples are highly likely to be copied into production build pipelines, so this inconsistency materially increases the chance of weak credentials being baked into images.

Missing User Warnings

High
Confidence
99% confidence
Finding
The Kickstart example includes both `rootpw --plaintext password` and destructive partitioning commands like `clearpart --all --initlabel` without warning. If copied as-is, it can create images with trivial root credentials and also wipe target disks during installation, causing credential compromise and data loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The troubleshooting section recommends `rm -rf /var/tmp/lorax/*` without stating that it irreversibly deletes build artifacts and temporary data. While the command is scoped to a specific directory, users may run it blindly during troubleshooting and lose outputs or intermediate state needed for recovery or investigation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal