ClawHub

download_mirror1

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible mirror-download helper, but it automatically routes downloads and possible HuggingFace tokens through third-party mirrors and can install packages at runtime without enough user control or warnings.

Install only if you are comfortable using third-party mirrors for model and code downloads. Avoid passing private HuggingFace tokens through mirrored endpoints, verify checksums or signatures when possible, and run the helper in an isolated environment because it may install Python packages automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd += ["--depth", "1"]
        cmd += ["-b", branch, clone_url, local_dir]
        
        result = subprocess.run(cmd, capture_output=True, text=True)
        if result.returncode == 0:
            print(f"[mirror-download] ✓ Clone 完成: {local_dir}")
            return local_dir
Confidence
87% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
__import__(package.replace("-", "_"))
    except ImportError:
        print(f"[mirror-download] 正在安装 {package}...")
        subprocess.run(
            [sys.executable, "-m", "pip", "install", package, "-q"],
            check=True
        )
Confidence
98% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "install", package, "-q"], check=True )

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Auto-installing packages with pip gives the skill code-execution and environment-modification capability unrelated to its stated purpose of mirror downloading. That is especially dangerous for an agent skill because simply invoking the skill can trigger package install hooks and dependency resolution from external sources.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill recommends downloading models and code via third-party mirrors and proxies such as hf-mirror, ModelScope, GitCode, and ghfast.top without adequate warnings about integrity, provenance, token leakage, or privacy risks. In this context the danger is elevated because the downloaded artifacts are executable code, model weights, or gated resources, making supply-chain compromise or credential exposure a realistic outcome.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal