ClawHub

Hook System

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent hook framework, but it gives configured hooks broad power to read tool data and run local shell commands.

Install only if you intentionally want hooks around tool execution. Treat every hook command as trusted code, avoid third-party hook snippets, do not enable hooks around secret-handling tools unless you add redaction and isolation, and review any logging hook because it can capture tool inputs, outputs, and environment secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad and loosely scoped, including generic terms like "hook" and "拦截工具", which can cause the skill to activate in unintended contexts. Because this skill can intercept tool execution, modify inputs/outputs, and block actions, accidental activation increases the chance of unauthorized logging, output tampering, or denial of legitimate tool use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description omits a clear warning that hooks can inspect and modify tool inputs and outputs, deny tool execution, and record tool data. This is dangerous because users may invoke the skill without understanding that it effectively sits inline on tool operations, creating risks of data exposure, tampering, and unexpected blocking of actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Hook commands are executed as shell subprocesses with the full parent environment inherited via process.env. Any configured hook therefore receives all ambient secrets available to the runner, such as API keys, tokens, or other credentials, and can exfiltrate them; using a shell also broadens execution risk if command strings are influenced by untrusted configuration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The runner copies tool input, parsed input, output, and error state into environment variables for every hook subprocess. This can expose sensitive request and response data to hook commands, including file contents, prompts, secrets, or personal data, making any hook effectively a privileged observer of all tool traffic.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal