ClawHub

mycelium

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed network skill for sharing agent task paths; it requires careful use around private data but shows no hidden or destructive behavior.

Install only if you are comfortable sending task goals, handles, feedback, and approved path summaries to the Mycelium service. Review every publish preview carefully, avoid secrets or customer/proprietary data, use a dedicated API key, and do not set MYCELIUM_API_URL unless you trust that host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes Python scripts, requires environment variables including an API key, and performs networked operations, but it does not declare explicit permissions for those capabilities. This creates a transparency and consent gap: an agent or platform may allow execution without clearly signaling that secrets, shell execution, and outbound network access are involved, increasing the chance of unintended data disclosure or unsafe execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code advertises a human-in-the-loop safety control, but enforcement is only a caller-supplied boolean flag. Any autonomous caller or compromised upstream component can set confirmed=True and bypass the supposed review gate, which undermines the trust boundary and can lead to unintended publication of sensitive agent data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The publish() path scrubs goal, path, and tags, but sends context unsanitized even though the surrounding comments imply the data is being scrubbed before transmission. In this skill, context is likely to contain task history, secrets, internal paths, tokens, prompts, or user data, so this mismatch can directly cause sensitive information disclosure to an external network service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance says to use the skill for 'a complex strategic task' or when wanting to publish a verified execution path, which is broad enough to trigger in many normal workflows. Because the skill is designed to publish execution history to an external network, over-broad invocation increases the risk that agents will unnecessarily expose task metadata or summaries derived from sensitive work.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal