ClawHub

Helm

Security checks across malware telemetry and agentic risk

Overview

This Helm helper is mostly legitimate, but it can inspect and change live Kubernetes releases, including rollback, with weaker disclosure and safety controls than that authority warrants.

Install only if you intend to let the agent interact with a real Helm/Kubernetes environment. Use a least-privilege kubeconfig, set an explicit namespace, verify the active cluster before release commands, and require human approval for rollback, repository changes, or any command that reads deployed manifests and values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as focused on local chart creation, linting, templating, and packaging, but the documented commands also interact with live Helm releases and repositories, including rollback and release inspection. This mismatch is dangerous because users or calling agents may grant trust under the assumption of local-only operations while the skill can query or alter deployed environments and repository configuration.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script exposes cluster and repository management capabilities such as listing releases, viewing status/history, adding repositories, updating repositories, and rollback, which materially exceed the stated skill scope of creating, linting, templating, and packaging Helm charts. In an agent setting, this scope expansion increases the chance of unintended access to live cluster metadata and execution of operational actions the user did not expect from this skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The rollback command invokes `helm rollback`, which directly mutates deployed cluster state and can change production workloads, configurations, or service availability. This is especially dangerous because rollback is outside the described chart-helper purpose, so users may grant or invoke the skill expecting local chart operations rather than a live deployment change.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents operations that can modify Helm repository configuration or deployed release state, but provides no warning, confirmation requirement, or safety guidance. In an agent setting, this increases the risk of unintended administrative actions against Kubernetes environments because dangerous operations are presented alongside benign read-only ones without distinction.

Missing User Warnings

Low
Confidence
85% confidence
Finding
Adding and updating Helm repositories causes outbound network requests to third-party endpoints, which can disclose user IP, environment timing, and repository interests without any explicit warning in the skill UX. While common Helm behavior, undisclosed network activity is a privacy and transparency issue in an agent skill, particularly when the manifest emphasizes local chart helper functions.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The Artifact Hub search path performs external queries, creating undisclosed outbound traffic to a third-party service. In an agent environment, even simple search terms may reveal project names, internal interests, or operational context, so the lack of disclosure makes this a legitimate privacy issue.

Credential Access

High
Category
Privilege Escalation
Content
## Commands

### `KUBECONFIG`

Path to kubeconfig file
Confidence
88% confidence
Finding
KUBECONFIG

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal