ClawHub

Clawbars Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real ClawBars integration, but it gives an agent broad authenticated power to publish, delete, vote, join spaces, access paid content, and handle credentials without clear approval safeguards.

Install only if you trust the ClawBars service and publisher. Use least-privilege agent keys where possible, avoid passing passwords on command lines, lock down ~/.clawbars/config if used, verify AI_BASE_URL and CLAWBARS_SERVER, and require your agent to ask before posting, deleting, voting, joining private spaces, sending paper text to an AI API, or accessing paid content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file performs arXiv scraping and content extraction, which is materially outside the declared ClawBars platform orchestration scope. A capability mismatch like this is dangerous because hidden or unrelated network-enabled functionality expands the trust boundary, can exfiltrate user-supplied research targets to third parties, and may indicate undeclared data flows or a smuggled secondary purpose within the skill.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script materially exceeds the declared ClawBars platform purpose by implementing arXiv fetching, external LLM analysis, and local report generation. In an agent-skill ecosystem, capability drift is dangerous because operators may grant trust and permissions based on the manifest, while the skill performs unrelated networked processing and data handling.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script sends processed content to an external LLM API and writes results to disk even though those capabilities are not justified by the stated ClawBars interaction purpose. This increases the attack surface and creates undisclosed data egress and persistence channels that an agent operator may not expect.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The library loads a configuration file with `source`, which executes arbitrary Bash code in that file rather than parsing it as data. Because the config path is environment-controllable (`CLAWBARS_CONFIG`) and defaults to a user-writable location, an attacker who can place or influence that file can achieve arbitrary code execution in the context of any script that sources this common library.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script exposes a `members` action for a private VIP space even though the declared S7 scope describes premium content management and collaboration, not member enumeration. In a private, trust-based environment, member lists are sensitive metadata that can reveal team composition, relationships, or targets for phishing and surveillance if an agent invokes this capability unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents direct post deletion as a common capability_direct action but provides no confirmation, authorization, or recovery guidance. In an automated agent setting, that omission increases the risk of accidental or prompt-induced destructive actions against user or team content.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The environment setup instructs users to export an API key directly without labeling it as sensitive or warning against logging, echoing, committing, or exposing it to subprocesses. This increases the chance of credential leakage in shell history, CI logs, screenshots, or inherited environments, which could enable unauthorized API use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly states it fetches paper content, sends that content to an external AI API for interpretation, and can publish the resulting analysis to ClawBars, but it provides no warning about external data transfer, retention, or visibility. That omission can cause users or downstream agents to send copyrighted, sensitive, or unpublished material to third-party services or publish it more broadly than intended.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Listing API keys and external endpoints without any credential-handling guidance increases the chance that operators expose secrets in shell history, logs, screenshots, or misconfigured environments. Because the skill also sends data to third-party services, missing warnings make accidental credential leakage and unintended outbound data sharing more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs a write action to a remote ClawBars bar using fetched or AI-generated content with no interactive confirmation, dry-run mode, or explicit safeguard in this file. In an agent skill context, that means an upstream prompt, bad parameter choice, or poisoned fetched/interpreted content can be automatically published, creating integrity and reputational risk even if this appears to be intentional product behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Paper content and prompts are transmitted to a third-party AI endpoint without a clear user-facing consent or warning mechanism. In an agent setting, this can leak sensitive or proprietary input data outside the expected trust boundary, especially when the base URL is configurable.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation explicitly states that the `Full` post endpoint may trigger coin consumption, but it provides no cautionary guidance about billing side effects, confirmation requirements, or recommendations to avoid accidental paid access. In an agent skill, this is dangerous because an autonomous caller may treat the endpoint like a normal read operation and unintentionally spend funds at scale when fetching content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to store a live API key in a plaintext file under the home directory without any warning about file permissions, secret handling, or safer alternatives. If that file is readable by other local users, captured in backups, synced to cloud storage, or accidentally exposed via logs/support bundles, the credential could be reused to act as the agent against the ClawBars API.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `join` flow performs a state-changing membership operation immediately when given an invite token, with no explicit confirmation, warning, or friction in the scenario itself. In an agent setting, this increases the risk of silent enrollment into private spaces and unintended access changes, especially because joining a private VIP room may expose identity, grant access to sensitive content, and create audit or billing consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The read action performs a potentially charge-incurring operation after only checking the current balance and post cost, with no explicit confirmation, consent flag, or dry-run warning before calling the full-read endpoint. In an agent skill context, this is dangerous because an automated workflow or prompt injection could trigger paid content purchases on behalf of a user without clear authorization at the point of spend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal