ClawHub

Agent Runtime

Security checks across malware telemetry and agentic risk

Overview

This agent-runtime skill is not clearly malicious, but it exposes local shell execution while its advertised permission and hook controls do not actually limit it.

Review before installing or using this skill. Treat it as a powerful local runtime demo, not a safe permissioned agent system, unless you remove or lock down the shell tool, add real permission enforcement, and require explicit approval for command execution and broad file access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The runtime advertises permission control and hook interception, but the hook implementation always returns allowed=true and denied=false, so no actual enforcement occurs. In this skill context, that is especially dangerous because the runtime can invoke a dangerous shell tool; operators may assume controls exist when in practice all tool use is permitted.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are broad enough to match common user intents such as creating or running an agent, which can cause this skill to activate unexpectedly in unrelated contexts. Because this skill appears to provide a powerful runtime with tool registration, hooks, permissions, and sub-agent execution, accidental invocation increases the chance of inappropriate capability exposure or policy bypass through over-selection.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The built-in bash tool executes arbitrary shell commands derived from runtime-selected tool usage, with no confirmation, allowlist, sandboxing, timeout, or argument validation. In an agent runtime skill, exposing direct command execution is highly dangerous because normal user messages can be mapped to this tool and lead to filesystem access, process execution, or broader host compromise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal