ClawHub

jar冲突检测器

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Java dependency-conflict checker, but it can run Maven or Gradle commands from the chosen project, so use care with untrusted repositories.

Use this skill on Java projects you trust, or run it inside a container/sandbox for third-party repositories. Be aware that Maven and Gradle dependency commands can execute build scripts or wrappers from the project, and reports may be written into the selected workspace path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
gradle_cmd = "gradle"

    try:
        result = subprocess.run(
            [str(gradle_path) if gradle_path.exists() else gradle_cmd,
             "dependencies", "--configuration", "compileClasspath"],
            cwd=project_dir,
Confidence
98% confidence
Finding
result = subprocess.run( [str(gradle_path) if gradle_path.exists() else gradle_cmd, "dependencies", "--configuration", "compileClasspath"], cwd=project_dir

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Executing a repository's Gradle wrapper exceeds the stated purpose of passive dependency-conflict detection and turns analysis into code execution on untrusted input. A malicious project can place arbitrary logic in wrapper/batch scripts or trigger harmful build behavior, leading to compromise of the analyst's environment or CI runner.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough that the skill may activate for general dependency or upgrade discussions, not just explicit requests to scan a local project. Because the skill then proceeds toward command execution and report generation, unintended activation increases the chance of unnecessary filesystem access or shell use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to run Maven/Gradle or a Python script and create report files without first requiring an explicit warning or consent step. External build commands may execute project-defined behavior or consume significant resources, and writing report artifacts changes the user's workspace, so silent execution creates avoidable risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal