ClawHub

Examine Sandbox

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate privacy-audit helper, but it also tells agents how to change or revoke live share links without strong safeguards.

Install only if you trust the agent with your PULSE_API_KEY and account-sharing data. Use the skill for read-only reporting by default, and do not allow PATCH or DELETE commands unless you explicitly approve the exact linkId, action, and expected impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is presented as a visibility/audit tool, but it also includes live share-modification and revocation operations. That mismatch is dangerous because an agent or user may invoke the skill expecting read-only inspection, yet it can alter production sharing state and disrupt access or change permissions without clearly separated consent.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The documented purpose is to examine sandbox visibility, but the skill embeds capabilities to narrow scope, downgrade access, and revoke links. These write actions exceed the least-privilege expectations set by the skill name and description, increasing the chance of misuse, accidental denial of access, or unauthorized policy changes.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as an examination/audit tool, but the API reference includes state-changing operations to modify and revoke share links. This creates a privilege/intent mismatch: an agent invoked for review could be induced to take destructive or permission-altering actions beyond what a user reasonably expects from an inspection workflow.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing share-setting changes in a skill framed as 'check what is shared' broadens the action surface from observation to modification without clear justification. An LLM agent can be socially engineered through ordinary audit prompts into changing access scope, expiration, or note permissions, causing unintended exposure reduction or expansion.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documented ability to immediately revoke share links is a destructive action that is not inherent to merely examining shared data. In an audit-context skill, this increases the risk that ambiguous or malicious prompts could trigger denial of access for legitimate collaborators or disrupt active workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs querying network state and searching notes for sensitive terms, which can expose highly sensitive shared data, but it provides no privacy warning, consent gate, or minimization guidance. In a privacy-audit context, silently enumerating visitors, contacts, and sensitive note hits raises the risk of over-collection and inappropriate disclosure to whoever runs the skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents PATCH and DELETE operations that change live sharing settings, but it does not clearly warn that these are state-changing actions with immediate user impact. Without an explicit warning, an operator may treat the skill as informational and unintentionally revoke or downgrade active links.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal