ClawHub

Nginx Config

Security checks across malware telemetry and agentic risk

Overview

The advertised Nginx config generator also includes an unexpected system-monitoring helper that can read local system/log information and keep a local command history.

Review this skill before installing. The Nginx config generation content appears purpose-aligned, but avoid running the included status/logs/info helper commands unless you intentionally want to expose local system details to the agent, and check or delete the local history file if sensitive arguments were used.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

A user expecting only Nginx config generation could have the agent run commands that reveal local system details or log snippets.

Why it was flagged

This helper is broader than the advertised Nginx config generator and can inspect local system status and recent syslog entries.

Skill content
# nginx-config - System operations and monitoring tool ... Commands: status, check, monitor, logs, config ... cmd_logs() { echo "  Recent: $(tail -5 /var/log/syslog
Recommendation

Remove these general system-monitoring commands, or clearly document them and require explicit user approval before running log/status/system-info actions.

#
ASI06: Memory and Context Poisoning
Low
What this means

Command names and arguments may remain on disk after use, potentially including domains, paths, service names, or other operational details.

Why it was flagged

The helper stores a persistent local command history under the user's home directory, which is not described in SKILL.md.

Skill content
DATA_DIR="${NGINX_CONFIG_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/nginx-config}" ... mkdir -p "$DATA_DIR" ... _log() { echo ... >> "$DATA_DIR/history.log"; }
Recommendation

Disclose the history file, provide a cleanup option, and avoid logging sensitive arguments unless the user explicitly opts in.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less provenance information for deciding whether to trust and run the included shell scripts.

Why it was flagged

The registry metadata does not provide a verifiable source or homepage for the packaged scripts.

Skill content
Source: unknown
Homepage: none
Recommendation

Prefer a package with a verifiable source repository, or inspect the scripts locally before invoking them.