ClawHub

Web Collection

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for web data collection, but it handles powerful tokens and local command execution with too little endpoint validation and disclosure.

Review this skill before installing. Use it only if you trust the cloud service and connector, avoid custom base URLs unless you control them, treat cloud tokens as secrets, prefer environment variables or a secret store over persistent preferences, and do not pass --bridge-cmd values from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
When --ensure-bridge is used, the script executes the user-supplied BRIDGE_CMD via `bash -lc` under `nohup`, which allows arbitrary shell command execution in the local environment. In a data-collection helper, this exceeds the minimum required capability and becomes dangerous if an upstream agent, workflow, or untrusted input can influence that argument.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script automatically resolves an admin token from either an environment variable or a local file and then uses it for API requests. Even if intended for legitimate local administration, this broad credential access exceeds a narrow re-export helper role and can silently grant elevated operations if the script is invoked in an untrusted workflow or against a user-supplied base URL.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script accepts an arbitrary shell command from --bridge-cmd or WEB_COLLECTION_BRIDGE_CMD and later passes it to downstream execution as the bridge startup command. In a skill that is supposed to perform web collection, this creates a broad command-execution primitive that can run attacker-chosen local code if a user, wrapper, or upstream component supplies a malicious value.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to provide a cloud API token and device ID and shows command patterns embedding bearer credentials, but it gives no warning about treating these values as secrets. In practice, this can lead to users pasting long-lived tokens into chat or command history, where they may be retained in logs, transcripts, shell history, or other tooling.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill hardcodes a Chinese-only recovery prompt and quick-reply options without checking the user’s language preference or offering an alternative. This can cause unsafe or misleading interaction outcomes for users who cannot read Chinese, especially during error recovery where misunderstanding can lead to incorrect export choices or unintended data-handling actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends the supplied Bearer token to whatever --base-url the caller provides, with no restriction to HTTPS, no allowlist, and no warning that credentials will be disclosed to that endpoint. In a skill whose purpose is cloud/browser data collection, users are expected to pass real API tokens, so a malicious or misconfigured base URL can exfiltrate credentials to an attacker-controlled service or expose them over plaintext HTTP.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script silently discovers privileged credentials from the environment or a file and automatically attaches them to HTTP requests without prominent disclosure at runtime. This becomes risky because BASE_URL is user-configurable, so a misconfigured or attacker-influenced endpoint could receive the admin token.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The help text does not adequately emphasize that enabling bridge startup can execute an arbitrary shell command in the background. In an agent skill context, hidden execution primitives are especially dangerous because callers may invoke them as operational options without realizing they grant code-execution capability.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
In --write-preferences mode, the script persists defaultCloudDeviceId and defaultCloudToken by iterating normalized defaults and calling the preference helper, with no prompt, warning, or distinction between non-sensitive settings and secrets. In this skill context, cloud credentials are operational secrets for a collection service, so silently storing them increases the risk of unintended long-term retention, later disclosure through preference files, or reuse by other local processes/users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script reads an admin token from ambient sources and transmits it in request headers without any user-facing warning or confirmation. In agent or automation contexts, this can cause covert use of privileged credentials, especially if BASE_URL is overridden to a non-local endpoint, resulting in credential disclosure or unauthorized admin actions.

External Transmission

Medium
Category
Data Exfiltration
Content
api_get() {
  local path="$1"
  curl -fsS \
    -H "Authorization: Bearer $TOKEN" \
    "$BASE_URL$path"
}
Confidence
94% confidence
Finding
curl -fsS \ -H "Authorization: Bearer $TOKEN" \ "$BASE_URL$path" } api_get_optional() { local path="$1" local raw http_code body raw="$(curl -sS -w $'\n%{http_code}' \ -H "Authoriza

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal