ClawHub

Gb Arch Cad Gen

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for CAD floor-plan generation, but it overstates standards compliance and may still produce drawings after detecting mandatory-rule violations.

Install only if you treat its drawings as draft/reference output and independently verify code compliance with a qualified professional. Do not rely on the generated plans for permitting, construction, or safety decisions unless the publisher changes validation to fail closed on mandatory violations and updates the vulnerable/unpinned dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code advertises strict compliance with mandatory Chinese building standards, but when validation detects violations it only logs warnings and proceeds to generate output anyway. In a CAD-generation skill for architectural floor plans, this can mislead users into relying on non-compliant drawings for downstream design, review, or construction decisions, creating real safety and regulatory risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"draw": "node scripts/main.js"
  },
  "dependencies": {
    "makerjs": "^0.18.1"
  },
  "keywords": ["openclaw", "skill", "cad", "architecture", "china-standard"],
  "license": "MIT"
Confidence
84% confidence
Finding
"makerjs": "^0.18.1"

Known Vulnerable Dependency: makerjs==0.18.1 — 1 advisory(ies): CVE-2026-24888 (Maker.js has Unsafe Property Copying in makerjs.extendObject)

Low
Category
Supply Chain
Confidence
95% confidence
Finding
makerjs==0.18.1

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal