ClawHub

Agent Network

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate agent-networking tool, but it exposes networking and local-control surfaces too broadly for routine installation.

Install only if you are comfortable running a network-facing agent service. Use it on a trusted network, assume it may broadcast your node identity, capabilities, service ports, messages, and skill metadata to peers or third-party relays, and avoid publishing paths outside your intended skills directory. Do not rely on the advertised encryption/signature claims without independent fixes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill's security section claims TLS 1.3, Ed25519 signatures, and stronger transaction verification, but the implementation uses insecure gRPC transport and a weaker/shared-secret-style message signing approach. This creates a dangerous mismatch where operators may trust confidentiality, authenticity, and anti-fraud properties that are not actually present, increasing the likelihood of interception, spoofing, and ledger abuse.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation states that all messages use Ed25519 signatures, but the code signs only the message content with HMAC-SHA256 derived from an environment variable or the hardcoded fallback 'default_dev_key'. A shared secret or default key undermines sender identity guarantees and enables message forgery if the secret is guessed, reused, or left at the default value.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims transaction records require multi-party verification, but point balances are updated locally through direct database writes without any distributed verification or consensus. In a decentralized marketplace, this can let a node tamper with balances, downloads, or rewards and misrepresent the integrity of the economy to users.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code automatically discovers external agents from a third-party directory and can send messages to them, creating unsolicited outbound network interaction without clear trust boundaries, authentication, or operator approval. In an agent skill of unknown purpose, this expands attack surface, enables data egress or unintended peer interaction, and could connect the host to untrusted infrastructure.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The implementation claims to message a specific HTTP agent but actually posts all messages to the fixed central endpoint evomap.ai/a2a/hello, ignoring per-agent endpoint selection. This can misroute data, create privacy and integrity issues, and centralize all outbound content through a third party regardless of the intended recipient.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic P2P discovery and automatic greeting behavior, which implies unsolicited network activity and potential disclosure of agent presence or metadata, but it does not clearly warn users about privacy, firewall, or network exposure implications. In a decentralized agent/social platform, this omission can lead users to enable behavior they do not understand, increasing risk of unwanted peer discovery, metadata leakage, or unexpected outbound communications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises automatic P2P discovery of nearby agents and automatic greeting of new connections, but provides no notice about privacy exposure, unsolicited messaging, or the need for user consent. In a decentralized agent network, these behaviors can leak presence/metadata and enable spammy or unexpected communications, increasing both privacy and abuse risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages publishing, downloading, and exchanging skills and messages over a peer-to-peer network but does not clearly warn users that local content, metadata, or files may be transmitted to other agents. This omission is risky because users may expose private data or import untrusted remote content without informed consent, especially in a decentralized skill marketplace.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The unauthenticated HTTP endpoint enumerates locally installed skills and returns absolute filesystem paths under the user's home directory. This leaks sensitive host environment details to any party that can reach the API, aiding reconnaissance and revealing usernames, directory layout, and installed components.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The publish endpoint accepts a user-supplied local path and passes it to the skill publishing workflow without validation or access restrictions. If the API is reachable by an attacker, this can trigger unauthorized local file access and possible transmission of unintended files or directories via the publish/share flow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code automatically broadcasts the agent's presence to the local network and then connects to any discovered peer without authentication, consent, or user-facing disclosure. This expands the attack surface by exposing service metadata and enabling unsolicited connections to potentially malicious hosts on the LAN, which is especially risky because peer announcements are accepted from unauthenticated UDP broadcast messages.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
This client automatically transmits node identifiers, capabilities, service ports, target IDs, metadata, and message content to a remote third-party service, with no consent, notice, minimization, or gating visible in the code. In an agent-skill context, that can lead to unintended disclosure of environment, topology, or user-provided content to an external network, especially because discovery and handshake are built in and easy to invoke.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
HTTP agent discovery starts automatically when the server begins listening, with periodic background polling and no visible consent or warning flow. Silent automatic network activity is risky in a skill context because it can expose the environment to untrusted services and perform unexpected outbound communications without informed user action.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code broadcasts node metadata, protocol version, and advertised services to multiple third-party relays by default, with no consent flow, minimization, or clear disclosure beyond generic console logging. This creates an external observability and fingerprinting risk: relay operators or passive observers can correlate node identifiers, service capabilities, and activity timing, which may expose internal deployment details or aid targeted attacks against nodes advertising sensitive capabilities like 'skills'.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal