ClawHub

Ngrok Preview

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate ngrok preview helper, but it can publish arbitrary selected local files or directories to a public link and its advertised expiry is not enforced automatically.

Install only if you are comfortable with the agent creating public ngrok links from local files. Before each use, verify every --source is a narrow non-sensitive output path, avoid home directories, workspace roots, credential folders, logs, and config files, use a short TTL, and run the down command with --delete-session-dir or cleanup when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands, reads environment variables, accesses local files, writes session metadata, and creates public ngrok links, yet it declares no permissions. That mismatch is dangerous because it hides the real trust boundary from reviewers and users, increasing the chance that a skill with network exposure and local file access is approved or run without appropriate scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose frames the skill as a narrow, temporary artifact preview flow, but the behavior described by analysis is broader: it can expose general files or directories, persists session data locally, and includes management operations beyond simple per-task sharing. In this context, that mismatch is dangerous because users may authorize a seemingly limited preview tool while it actually has the ability to publish a wider portion of the local filesystem and retain metadata longer than expected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script copies user-selected files or whole directories into a session folder, serves them over a local HTTP server, and then publishes them through a public ngrok URL. There is no confirmation prompt, access control, warning banner, or secret-scanning step, so users can unintentionally expose sensitive local artifacts to anyone with the link.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal