ClawHub

Gradient

Security checks across malware telemetry and agentic risk

Overview

This is a local CSS gradient helper whose file writes and saved history are consistent with its stated purpose, with ordinary caution around overwriting output files.

Install only if you are comfortable running a local Bash/Python helper. Avoid sensitive project names in saved gradients, review or delete ~/.gradient/data.jsonl if you do not want history retained, and choose export/preview output paths carefully because existing files may be overwritten.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill describes capabilities to read environment state and read/write local files, but it does not declare permissions or provide any boundary around those operations. This creates a trust and transparency gap: an agent or user may invoke the skill without realizing it can persist data locally or potentially access broader local context than expected.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation explicitly includes create, update, delete, export, and preview commands that modify or generate local files, but it gives no warning that local state will be changed. In an agent setting, missing disclosure increases the chance of unintended file modification or deletion, especially when commands are run on behalf of a user.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The export and preview commands write to a user-controlled path with open(output, 'w'), which will silently overwrite existing files. In an agent context, if untrusted input can influence --output, this can clobber arbitrary files writable by the current user, causing data loss or unintended file creation in sensitive locations such as shell startup files or project configs.

Session Persistence

Medium
Category
Rogue Agent
Content
# Gradient — CSS Gradient Generator & Palette Builder

Generate production-ready CSS gradient code for linear, radial, and conic gradients. Create gradient palettes, preview combinations, adjust angles and color stops, and export gradient collections. All gradient definitions are stored locally in JSONL format for reuse and sharing.

## Prerequisites
Confidence
84% confidence
Finding
Create gradient palettes, preview combinations, adjust angles and color stops, and export gradient collections. All gradient definitions are stored locally in JSONL format for reuse and sharing. ## P

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal