ClawHub

Tool Registry

Security checks across malware telemetry and agentic risk

Overview

This skill is a tool registry, but it also includes built-in file-writing and shell-command tools that can run without enforced permission checks.

Install only if you explicitly want a local executable tool registry and trust any caller that can invoke it. Before use, disable or remove the bash and write_file tools, or add enforced permission checks, path limits, command allowlists, and explicit confirmation for every write or shell action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is described as a registry/discovery system, but the predefined registry embeds operational tools for reading files, writing files, globbing the filesystem, and executing shell commands. This expands the trust boundary from metadata lookup into direct host interaction, so any caller that can access the registry can potentially reach sensitive capabilities unrelated to the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The generic execute() method invokes any registered tool implementation without enforcing permission or agent-type checks at execution time. This means search/list filtering can be bypassed if a caller directly names a tool, allowing registry functionality to become a dispatch layer for privileged actions.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The registry exposes a bash tool that accepts arbitrary command strings and executes them via the system shell. In the context of a tool-discovery skill, this is especially dangerous because it creates a direct remote-code-execution path on the host, enabling data exfiltration, destructive commands, persistence, or lateral movement.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The write_file tool allows arbitrary file writes from caller-supplied paths and content, which is unrelated to registry/discovery behavior. This can overwrite configuration, implant malicious scripts, alter source code, or corrupt application data, especially because there are no path constraints or approval gates.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The registry includes read_file and glob capabilities that permit direct filesystem inspection beyond the stated discovery purpose. These primitives can disclose secrets, source code, credentials, and internal layout information that help an attacker escalate to more serious compromise.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad and based on common phrases like '工具有哪些', '搜索工具', '查找技能', and '工具路由' without clear exclusions, anchoring, or user-intent checks. This can cause unintended activation and route users into a tool-discovery workflow when they are merely discussing tools abstractly, increasing the chance of unnecessary capability exposure or confusing tool suggestions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file-write capability performs state-changing operations immediately with no user-facing warning, confirmation, or policy interlock. In an agent setting, this increases the risk of accidental or induced modification of important files because a single prompt or tool call can silently persist changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The shell-execution tool runs arbitrary commands without any confirmation, warning, or safety review. In agent workflows this materially raises the chance of prompt-induced destructive execution, since dangerous commands can be launched directly and immediately on the host.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal