ClawHub

A2a Server

Security checks across malware telemetry and agentic risk

Overview

This is a local agent messaging server, but it enables unauthenticated agent RPC and discovery, so users should review it carefully before using it outside a trusted localhost setup.

Install only if you plan to use it for local or otherwise fully trusted agent experiments. Do not expose it to a LAN, public host, or untrusted agents until authentication, authorization, TLS/WSS, identity binding, and message signing are added or enforced externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
`unsubscribe()` only deletes local channel handlers and does not notify the server to terminate the subscription. This can leave the client logically unsubscribed while the server continues to deliver messages, causing stale data flow, unnecessary resource consumption, and possible continued receipt of sensitive messages despite user expectations.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The header advertises 'trust chain authorization', but the implementation accepts arbitrary WebSocket clients and trusts user-supplied fields such as agentId, from, and subscription targets without any authentication, authorization, or trust validation. In an agent-to-agent messaging server, this mismatch is dangerous because operators or downstream components may rely on nonexistent security guarantees, enabling agent impersonation, unauthorized message routing, discovery abuse, and unauthorized subscriptions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises agent registration, discovery, P2P forwarding, RPC, offline queues, and capability-based remote execution while explicitly noting that trust-chain authorization and message signing are not yet implemented. This can lead users to deploy or integrate the service as if it were safe for inter-agent communication, enabling unauthorized agent impersonation, message spoofing, data exposure, and abuse of remote execution paths.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-start and examples use ws:// connections without any warning that WebSocket traffic is plaintext unless protected by TLS. Users may copy these examples into real deployments, allowing network attackers to intercept or modify agent messages, credentials, task payloads, or RPC responses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables agent-to-agent communication, RPC, publish/subscribe, capability discovery, and integration patterns that can route tasks to remote agents, while also stating that authentication/authorization and message signing are not yet implemented. That combination creates a real security risk because users may deploy a system that trusts unauthenticated peers, exposing data, actions, and agent workflows to spoofing, unauthorized access, and privacy leakage without a prominent warning.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal