ClawHub

Code Sandbox

Security checks across malware telemetry and agentic risk

Overview

This skill is a local code runner presented as a secure sandbox, but its actual isolation is too weak for untrusted code and may expose local secrets.

Install only if you will run trusted code or you can place this skill inside a separate disposable VM or hardened container. Do not treat it as a secure sandbox for strangers' code, and avoid running it in an environment that contains valuable files, network access, or secrets in environment variables.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill is marketed up front as a 'Secure code execution sandbox' even though later sections admit it lacks key sandbox controls such as network isolation, enforced memory limits, containerization, and strong OS-level confinement. This can mislead users or downstream agents into trusting it for untrusted code execution, creating a documentation-driven security vulnerability through unsafe deployment assumptions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The 'Security Features' section presents isolation and resource controls in a reassuring way, but the later limitations section states that memory limits are not actually enforced and that there is no network isolation. These contradictory claims can cause operators to overestimate the protection level and run hostile code in an environment that is not meaningfully sandboxed.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file advertises secure, isolated sandboxing with Docker/Job Objects/vm2, but the actual implementation executes untrusted Node, Python, Go, and Rust code directly on the host using child_process.exec. No real isolation, privilege reduction, filesystem/network restrictions, or enforced CPU/memory controls are present, so arbitrary user code can access host resources and fully compromise the machine running this service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The usage examples encourage execution of arbitrary Node.js and Python code early in the document, but readers are not warned until much later that the current implementation lacks network isolation and real memory enforcement. Presenting executable examples before prominent warnings increases the risk that users will treat the tool as safe for untrusted input and expose the host environment to compromise or abuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The Node executor passes the full host environment into untrusted code via env: { ...process.env, NODE_ENV: 'sandbox' }. This exposes secrets such as API keys, credentials, tokens, internal URLs, and configuration to attacker-controlled code, greatly increasing the blast radius of the already unsafe host-level execution.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal