ClawHub

SDF COM Bridge

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate SDF COM chat bridge, but users should understand it can use an existing SSH session and temporarily store or transform chat text.

Install only for rooms and Feishu/Lark chats where participants expect mirroring and translation. Use a dedicated low-privilege SDF account, keep the SSH socket scoped to that account, avoid sensitive conversations, and periodically clear the local translation queue/results and bridge logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd.extend(command.split() if isinstance(command, str) else command)
        
        try:
            self.process = subprocess.Popen(
                cmd,
                stdin=subprocess.PIPE,
                stdout=subprocess.PIPE,
Confidence
82% confidence
Finding
self.process = subprocess.Popen( cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises operational code paths involving file access, network communication, and shell/SSH interaction, but does not declare permissions. This creates a transparency and consent gap: users and hosting systems cannot accurately assess what capabilities the skill may exercise before use, increasing the chance of unintended command execution, network access, or local state manipulation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates important behaviors: local queue/state/log storage, hardcoded SSH workflow assumptions, operational recovery tooling, and the lack of actual Feishu/Lark network integration. This mismatch is dangerous because users may authorize the skill for chat bridging while being unaware that it persists data locally, relies on a specific account/socket setup, and may not behave as claimed, leading to data exposure or unsafe operational assumptions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code advertises LLM/main-agent translation but actually replaces content with placeholder strings like '[待翻译: ...]' and then marks the request as translated. In a bi-directional chat bridge, this can silently corrupt message meaning, break operator expectations, and cause users to act on false or incomplete communications while believing translation succeeded.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description does not clearly warn that chat content is relayed to an external messaging platform and transformed via translation. That omission can cause users to share sensitive or private chat material without understanding it will leave the original environment and be processed elsewhere, creating confidentiality and compliance risks.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill presents automatic English-to-Chinese translation as a default behavior without user choice or consent. Automatic translation can alter meaning, mishandle sensitive content, and disclose message contents to translation components, which is especially risky in a live chat bridge handling potentially private communications.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The documentation explicitly states that English messages are auto-translated to Chinese, confirming non-consensual content transformation as part of the message flow. In a bridge context, this increases privacy and integrity risk because all relayed content may be exposed to translation processing and semantic errors before reaching recipients.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code writes raw translation requests, including user-provided text, to a predictable directory under the user's home folder. In a chat bridge context, those messages may contain private conversations, commands, or sensitive data, and storing them on disk without access controls, retention limits, or disclosure increases the risk of local data exposure or unintended persistence.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The translator reads results from a shared filesystem location and deletes the file afterward, which means translated content is also exposed through local files during processing. In this skill, the bridge handles real-time chat synchronization, so the result files may contain relayed chat data that other local processes or users could read or tamper with if filesystem permissions are weak.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal