ClawHub

Swmm Experiment Audit

Security checks across malware telemetry and agentic risk

Overview

This audit skill is mostly purpose-aligned, but it automatically runs Python code from sibling skill folders and the direct script writes audit notes into a home-directory Obsidian vault by default.

Install only if you trust the surrounding Agentic SWMM repository and any sibling skills under its skills/ directory. Prefer the canonical aiswmm audit path or pass --no-obsidian when you do not want audit notes copied into ~/Documents, and review any installed swmm-water-quality or swmm-uncertainty helper scripts before running audits on sensitive projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs use of shell commands and file read/write behaviors, yet it declares no permissions or safety boundaries. This creates a transparency and control gap: an agent or platform may execute filesystem and shell-capable actions without an explicit permission contract, increasing the chance of unintended writes, command execution, or policy bypass in downstream integrations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The audit script dynamically loads and executes a helper script from another skill path via `importlib`, turning a nominally local consolidation step into cross-skill code execution. If that helper file is modified, replaced, or comes from an untrusted repository state, running the audit will execute arbitrary Python with the user's privileges.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The audit flow conditionally triggers additional uncertainty-source decomposition logic, expanding behavior beyond passive artifact summarization into active orchestration of another module. That increases attack surface because simply auditing a run can execute extra code paths based on filesystem state, including code outside the core audit script.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Loading external helper scripts by file path and executing them with `exec_module` is effectively arbitrary code execution from repository content. Because the audit script treats another skill's script as executable code instead of trusted static data, any compromise or unexpected change in that file directly compromises audit-time execution.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Invoking a decomposition module at audit completion gives the audit command hidden execution side effects beyond producing provenance and notes. In a security-sensitive setting, this can surprise operators and enable malicious repository content to run under the guise of an innocuous audit step.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The direct script defaults to copying run-derived audit notes into a user home-directory Obsidian vault, which is a write outside the run directory and repository boundary. Because this happens by default, users or calling agents may unintentionally exfiltrate sensitive project metadata, paths, or run details into a secondary location that is less expected and potentially synced or backed up elsewhere.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill directs agents to run the audit after every attempt, including failed runs, but does not prominently state that this will create or update audit artifacts and may modify an external Obsidian index depending on invocation mode. In automated workflows, this can lead to silent state changes, accumulation of records, and modification of user knowledge bases without clear user awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal