ClawHub

aa-pair-analysis

Security checks across malware telemetry and agentic risk

Overview

The skill’s protein-analysis purpose is coherent, but its installer can install an unverified executable over plain HTTP and make persistent shell changes.

Review scripts/setup.sh before installing. Prefer installing ClustalOmega yourself from a trusted package manager or verified release, avoid the HTTP binary fallback, and check whether ~/.bashrc was modified. Also confirm the hard-coded /home/lenovo/.openclaw paths before running PDF or report-update helpers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, reads and writes files, and includes a setup script that installs dependencies, yet no permissions or capability boundaries are declared. This is dangerous because an agent may execute environment-changing commands or modify workspace contents without clear user consent or sandbox constraints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is protein sequence pair analysis, but the described behavior extends to package installation, hardcoded local path access, PDF parsing, cross-skill file integration, report rewriting, and Word document generation. This mismatch is dangerous because hidden or under-disclosed behaviors expand the attack surface and can lead to unexpected access to local files, bulk writes, and execution of external tooling beyond what a user reasonably authorized.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup script performs package installation via pip/apt/conda and directly downloads an executable with curl from the network. That materially exceeds a passive analysis role and introduces supply-chain and integrity risks, especially because the downloaded clustalo binary is fetched over plain HTTP without signature or checksum verification.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The script claims to check and install dependencies, but it also persists changes by appending to ~/.bashrc to alter PATH. Hidden persistence is security-relevant because it changes future shell behavior beyond the immediate run and is not clearly disclosed to the user.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script downloads a binary from the network and then modifies ~/.bashrc so that the new binary is automatically found on future logins, all without an explicit confirmation prompt. This combination increases the blast radius of a compromised or replaced binary and creates a persistence mechanism that users may not notice.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The CLI matchers are listed without qualifiers, exclusions, or context gates, so the skill may activate on ambiguous terms that overlap with adjacent domains. While this is not code execution risk, it is a genuine prompt-routing and scope-control weakness that can lead to misfires, inappropriate tool use, and accidental processing of unrelated user requests.

Vague Triggers

Low
Confidence
83% confidence
Finding
The CLI matchers are listed without qualifiers, exclusions, or context gates, so the skill may activate on ambiguous terms that overlap with adjacent domains. While this is not code execution risk, it is a genuine prompt-routing and scope-control weakness that can lead to misfires, inappropriate tool use, and accidental processing of unrelated user requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal