ClawHub

Buy Domain Helper

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it needs review because it can publicly expose local content, change Cloudflare hosting/DNS, auto-install or run packages, and declares an unrelated required token.

Review before installing. Do not provide the unrelated `NETA_TOKEN`. Only tunnel folders or ports you are comfortable making public, use narrowly scoped Cloudflare tokens, prefer environment variables or a secret manager over `--token` command arguments, and confirm any package install, Pages deployment, custom-domain attachment, or DNS change before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly requires environment access and outbound network activity. This mismatch weakens review and consent controls because an agent may invoke a capability-bearing skill without users or policy systems understanding that it can read tokens from the environment and make external service calls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
In tunnel mode, the script will automatically install cloudflared via `brew install cloudflared` if it is missing. Installing software on the host is a privileged side effect beyond simply launching a site, and it can change system state without an explicit confirmation step. In an agent context, this is risky because a user asking to share a site may not expect package installation or the security implications of trusting Homebrew formulas.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The static-directory path runs `npx -y serve ...`, which can download and execute a package at runtime. That introduces remote code execution capability and supply-chain risk on the local host, especially since `-y` suppresses prompts and the package/version is not pinned. In an agent skill, this is more dangerous because the action may occur non-interactively and without the user realizing code is being fetched and executed from the package ecosystem.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation text is broad enough to match many ordinary requests about sharing pages, hosting sites, or using custom domains, which increases the chance of unintended triggering. In this skill, unintended activation is more dangerous because the advertised actions can expose local content, deploy material publicly, and interact with third-party infrastructure using API tokens.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that cloudflared 'installs automatically via Homebrew if missing' without a prominent warning or consent requirement, meaning invocation could modify the local system unexpectedly. Automatic package installation expands trust to external package sources and changes the host environment, which is especially risky in a skill that may be triggered by broad hosting-related requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script creates a public tunnel and immediately exposes the resulting URL, but it does not require an explicit acknowledgment that the local service will become reachable from the public internet. This can lead to accidental exposure of development services, admin panels, or sensitive local content. The skill context makes this particularly relevant because tunneling is its core purpose, so a strong disclosure and confirmation step is warranted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When given a directory, the script serves it locally and then tunnels it publicly without a clear warning that local files are being published. Users may unintentionally expose private files, build artifacts, or secrets present in the selected directory. In this skill, that risk is heightened because the feature is designed to make sharing easy, which lowers friction for potentially unsafe publication.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal