ClawHub

Aws Emr Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent AWS EMR management tool, but one result-retrieval path can return the newest shared S3 result instead of the requested job's result.

Install only if you are comfortable granting the skill AWS permissions for EMR and S3 operations. Use a least-privilege AWS role, avoid shared S3 result prefixes for sensitive workloads, and treat `get_job_result` as unsafe in multi-user or concurrent-job environments until results are bound to the specific job run ID.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Low
Confidence
97% confidence
Finding
The file defines a `_mask_secrets` helper specifically intended to redact credential-like values from log text, but `get_step_log()` and `_read_s3_gzip_log()` return raw log lines without invoking it. EMR step logs commonly contain command lines, Spark/Hive configs, environment variables, stack traces, and accidental credential material, so returning them unredacted can expose secrets to downstream users or agents.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true vulnerability: the module defines a `_mask_secrets` helper and documents secret masking behavior, but `get_job_log` and `_read_s3_gzip_log` return raw log lines without applying any masking. EMR/Spark driver logs commonly contain credentials, tokens, JDBC URLs, command-line arguments, environment values, and stack traces, so exposing unredacted logs through the skill can leak sensitive data to users or downstream systems.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
`get_job_result` checks that the requested `job_run_id` succeeded, but then ignores that identifier when reading from S3 and instead returns the newest `part-00000` object under the shared `skill-results/` prefix. In a multi-user or multi-job environment, this can cause result confusion or unauthorized disclosure by returning another job's output, which is especially dangerous because this skill is explicitly built to run EMR SQL/Hive/Spark jobs that may process sensitive data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal