ClawHub Security Scan

Security checks across malware telemetry and agentic risk

Overview

This is a coherent paid local scanner, with a disclosed SkillPay charge, but users should notice the billing key and per-call charge before running it.

Install only if you are comfortable with a paid SkillPay-backed tool. Running scan.py or precheck.py can charge 0.001 USDT and sends billing metadata to SkillPay; scope --path to the skill folder you intend to scan and provide SKILLPAY_API_KEY or --api-key only when you mean to authorize billing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises capabilities that imply access to environment variables, files, network, and shell execution, but the manifest shown in SKILL.md declares no permissions. That mismatch can mislead users and reviewers about the effective trust boundary, reducing informed consent and weakening platform safety controls if permissions are expected to be explicitly disclosed.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The stated purpose is a local pre-publish security scanner, but the description also indicates billing through an external service, transmission of user identifiers/metadata, and extra interactive behavior not disclosed in the core purpose statement. This creates a transparency and trust problem: users may invoke a security tool expecting offline analysis while sensitive metadata is sent to third parties or charges are incurred.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The script marketed as a pre-publish security check performs a remote billing action before any checklist logic runs. This creates a hidden side effect unrelated to scanning, can charge users unexpectedly, and sends identifying/payment metadata to a third party without clear in-script consent at the point of execution.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script reads a payment API key from the environment even though the advertised function is a security checklist. Accessing credentials unrelated to the core checklist expands trust requirements and can surprise users who run the tool expecting only local analysis.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The module describes itself as an interactive checklist wizard, but execution includes a remote billing transaction before the wizard starts. This mismatch is security-relevant because users may grant trust and run the script under false assumptions about side effects and data flow.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill is presented as a pre-publish security scanner, but it also performs a billing transaction to an external service before any scan occurs. This creates a hidden side effect that is outside the stated purpose, causes network exfiltration of user/account metadata, and can surprise users who expect a local-only analysis tool.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code reads a billing API key from the environment and sends a user identifier to an external payment API, behavior not justified by the declared security-scan function. In a security tool context, unexpected credential use and outbound transmission materially increase trust and privacy risk, even if the value accessed is only the tool's own billing key.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module and CLI advertise a security scan, but execution is gated on successful billing. That mismatch is a deceptive design issue: users invoking a scanner may not reasonably expect a paid network transaction before the advertised function runs.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The billing request transmits user_id, skill_id, amount, currency, and description to an external service without any visible pre-disclosure or confirmation in this file. Silent transmission of user-linked billing metadata undermines transparency and can expose users to unexpected privacy and payment consequences.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: Reading the billing API key from environment variables without disclosure is not credential theft by itself, but it is a hidden credential dependency unrelated to the stated scan purpose. In a security tool context, undisclosed secret access is especially concerning because users reasonably expect minimal side effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The billing request transmits the user identifier to an external API before this code presents any clear user-facing disclosure about what data is being sent. For a security-related utility, undisclosed transmission of identifiers is a privacy and transparency issue that undermines user trust.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal