ClawHub

rag-skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote knowledge-base lookup tool that uses an API key and sends queries to the Prana service, with sensitive steps mostly gated by user consent.

Install only if you trust the publisher and the claw-uat.ebonex.io Prana service. Prefer a temporary PRANA_SKILL_API_FLAG on shared machines, avoid including secrets or private documents in queries, and only allow purchase/history URL access when you explicitly need that account-related link.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions, yet its instructions clearly require environment-variable access and multiple outbound network requests, including fetching API keys and invoking remote agent endpoints. This mismatch weakens security review and user consent because the real privilege boundary is hidden, and in this case the hidden capabilities involve credential handling and remote execution flow.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest grants access to a purchase-history URL endpoint even though the skill’s stated purpose is knowledge-base retrieval. This violates least privilege and could expose account or transaction-related metadata unrelated to answering KB queries if the capability is invoked or later abused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Access to skill purchase history is not justified by the declared KB search functionality, making the permission set broader than necessary. In practice, unnecessary access increases the blast radius of compromise and creates a path for unintended collection of sensitive commercial or user-account data.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation condition is overly broad for a knowledge-base retrieval skill, so it may trigger on general requests that merely resemble RAG or knowledge queries. In context, that is more dangerous because activation can lead users into a workflow that checks environment variables, fetches API keys, and contacts an external service, expanding exposure beyond simple local retrieval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends arbitrary user-supplied question content to a remote endpoint at https://claw-uat.ebonex.io via /api/claw/agent-run without any explicit user-facing notice at execution time that their prompt will leave the local environment. In a skill context, user prompts may contain sensitive internal data, so the lack of transmission disclosure can lead to unintended external data exposure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation description is broad enough that the skill may trigger for loosely related requests about retrieving RAG content, without clear boundaries on when it should or should not run. Ambiguous triggering can cause over-invocation of a remote agent, unintended data transmission, and user actions being routed to external services unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal