ClawHub

Critical Debater Suite

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent debate/research workflow, but it includes an under-specified optional cron job that would persistently rerun networked evidence refreshes and mutate reports after the session ends.

Install only if you are comfortable with a debate skill that searches the web, writes a local debate workspace, invokes local agent CLIs, and runs helper shell scripts. Do not enable the optional 6-hour cron refresh unless you inspect the exact command, know where it will be installed, and have a clear way to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return False

    try:
        result = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout_sec, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational capabilities that include writing files and invoking shell-dependent tooling, but it does not declare permissions or constraints for those actions. That creates a trust and policy gap: an orchestrator may route into modules that perform side effects without explicit user/admin approval, increasing the chance of unintended command execution or filesystem modification.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The capability authorizes external `search` to gather supplementary evidence, which expands the skill from internal debate orchestration into network-enabled data acquisition. This creates a real capability-scope increase: untrusted prompts can steer outbound retrieval, introduce prompt-injection from external content, or cause the agent to incorporate unvetted sources into its reasoning and outputs.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Instructing the agent to run `scripts/validate-json.sh` introduces command-execution behavior that is not inherent to generating a debate turn. Even if intended for harmless schema validation, invoking shell scripts broadens the attack surface to script tampering, path manipulation, environment abuse, or execution of unexpected commands in the workspace.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The capability explicitly instructs creating a recurring 6-hour cron job, which introduces persistence and autonomous re-execution beyond the stated on-demand debate workflow. Even though it is gated by 'If user agrees,' this expands the skill from a transient analysis tool into a background task that can continue consuming resources and making networked evidence-refresh actions after the initial session.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Creating a cron job is a persistence mechanism and system modification that is not necessary for performing a debate or generating a report. In the context of an agent skill, persistence is especially risky because it enables repeated execution, ongoing outbound data collection, and potential abuse of the host environment long after the user's immediate request has completed.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The evals broaden the skill from a narrowly described debate trigger into additional operational capabilities such as source ingestion, judge audit, and final synthesis. This can cause the router to invoke the skill for generic requests that are not clearly within the declared scope, increasing the chance of unintended activation and capability overreach.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script accepts an arbitrary path for AUDIT_FILE, creates it if missing, copies its current contents, appends attacker-controlled JSON, and then replaces the original via mv. If an untrusted caller can influence the audit file path, this becomes a generic file write/overwrite primitive affecting any file the process can access, which is broader than the debate skill's stated purpose and can damage integrity or tamper with logs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match common requests such as 'analyze from multiple perspectives' or generic critical examination prompts, which can cause the skill to activate unexpectedly. In a multi-capability skill with internet, shell, and write-adjacent workflows, accidental routing increases exposure to unnecessary tool use and confusing or policy-bypassing behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file describes creating a 6-hour cron job without any explicit warning that this modifies the system, persists beyond the current run, and may continue network activity or resource consumption. User agreement alone is not sufficient when the instructions omit clear disclosure of persistence implications and operational details, making informed consent weak and increasing the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The capability explicitly instructs the agent to write updated freshness classifications back to `evidence/evidence_store.json`, but it does not mention obtaining user consent, warning about workspace mutation, or offering a dry-run mode. In an agent skill, silent modification of user workspace data is risky because it can overwrite prior evidence state, affect later debate outcomes, and create integrity issues even if the change is operationally intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The capability explicitly performs web searches and fetches full remote content but does not mention any user notification, consent gate, or restriction on when external network access is allowed. In an agent skill, this can cause unanticipated data transmission about the user's topic or workspace context to third-party services and may violate privacy, policy, or deployment expectations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Triggers like "search evidence about climate change impacts on agriculture" and "generate the final report for this debate" are broad enough to overlap with ordinary search or reporting requests. In a multi-skill environment, this ambiguity can misroute benign user requests into an adversarial debate workflow, causing confusing behavior, unnecessary tool use, or unintended access to debate-oriented sub-capabilities.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal