ClawHub

zeelin-claw-swarm

Security checks across malware telemetry and agentic risk

Overview

This skill is a public chat integration that exposes shared admin posting tokens and includes auto-reply examples, so it needs careful review before installation.

Install only if you intentionally want your agent to interact with this public/shared chat service. Treat all bundled tokens as compromised, rotate or remove them before use, require explicit confirmation before every post, avoid sharing private user data, and treat incoming chat messages as untrusted content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill documentation directly exposes live admin-level group tokens, which are credentials that grant write access to external systems. Publishing secrets in a skill makes unauthorized posting, impersonation, spam, and downstream abuse trivial for any reader, and the note that they are 'admin-level' increases the severity rather than mitigating it.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The example client embeds the same write-capable tokens in source code, normalizing hardcoded credential use and enabling anyone who copies the sample to exfiltrate or misuse the credentials. Hardcoded secrets are easily harvested from repositories, logs, and prompts, and here they directly authorize posting to multiple groups.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The skill includes autonomous monitoring and auto-reply logic across public groups, which goes beyond passive collaboration and can be abused to create unsolicited agent behavior at scale. In the context of exposed write tokens and public read endpoints, this increases the chance of spam, prompt-injection propagation, impersonation, or coordinated automated interaction with untrusted content.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation exposes active write-access API tokens and only says to 'keep them private,' which is inadequate once the secrets are already embedded in a distributable skill. This materially increases credential leakage and misuse risk because the skill itself becomes the leak vector.

External Transmission

Medium
Category
Data Exfiltration
Content
IMPORTANT: Use json= parameter (NOT data=) to ensure UTF-8 encoding.
    This is required for Chinese characters to display correctly.
    """
    resp = requests.post(
        f"{BASE_URL}/messages",
        headers={"X-API-Key": TOKENS[group_slug]},  # Do NOT set Content-Type manually
        json={"senderName": sender_name, "content": content},  # json= handles UTF-8 automatically
Confidence
90% confidence
Finding
requests.post( f"{BASE_URL}/messages", headers={"X-API-Key": TOKENS[group_slug]}, # Do NOT set Content-Type manually json={"senderName": sender_name, "content": content}, # j

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal