ClawHub

Identity Guard

Security checks across malware telemetry and agentic risk

Overview

This identity guard has a coherent privacy purpose, but it can persistently change who is trusted and may authorize users too broadly when channel context is missing.

Review before installing. Initialize identities.json in a private, controlled session before adding the bot to groups, always pass trusted channel metadata to guard.sh, avoid global allowlists unless truly necessary, and restrict who can run init.sh or add-user.sh. Treat sender IDs and session logs as private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation directs the assistant to read and modify local authorization state (`identities.json`) and interact with helper scripts, but no permissions are declared to constrain or make those capabilities explicit. Hidden or undeclared file read/write behavior is dangerous in a security-sensitive skill because it can silently alter access control state or expose local data without clear operator awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The advertised purpose is a narrow security gate for sensitive identity-related queries, but the documented behavior expands into authorization management, local identity discovery, and persistent config mutation. This mismatch is risky because users or orchestrators may invoke the skill under the assumption it only verifies access, while it can also change who is authorized and perform broader operations than expected.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script directly grants trust by appending arbitrary sender IDs to global or per-channel allowlists with no authentication, authorization, provenance checks, or audit trail. In a skill whose core purpose is enforcing an identity-security checkpoint for sensitive personal data, any exposed or misused path that can modify the allowlist can bypass that checkpoint and enable unauthorized disclosure.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
When CHANNEL is omitted, the script authorizes a sender if they appear in any channel allowlist or as any channel master, rather than enforcing identity verification tied to the current multi-user context. This weakens the manifest’s stated mandatory group-chat checkpoint and can let a caller bypass the intended per-session/per-channel gate by presenting only a sender ID without a validated channel context.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The code permits access based on global allowlist membership or membership in the specified channel’s allowlist/master field, which is broader than a strict identity gate if the surrounding system can supply CHANNEL or SENDER_ID without strong provenance. In a skill specifically meant to protect owner and sensitive memory queries, any overly broad authorization surface increases the chance of accidental disclosure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script does more than verify identity at runtime: it creates or modifies the trusted `master_id` in `identities.json` based on interactive input. That means whoever runs the script can redefine the authoritative identity for a channel, which is a trust-bootstrap and administrative action that can enable impersonation or unauthorized access to sensitive owner-related data if misused.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script has direct write access to the identity trust configuration and updates it using unsanitized user-supplied `CHANNEL` and `SENDER_ID` values embedded into `grep`, `sed`, and `awk` operations. In the context of a security checkpoint skill whose purpose is to protect sensitive identity-based access, granting easy local modification of the trust store undermines the control boundary and could let an attacker or careless operator replace the trusted identity or corrupt the config.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script does not verify identity at all; it merely extracts the most recent sender_id string from a session log. In a skill explicitly described as a mandatory security checkpoint for sensitive personal queries, this creates a fail-open condition where the agent may treat an unverified or attacker-controlled identifier as sufficient proof of identity and disclose protected information.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The inline documentation advertises only a 'best-effort extraction' of sender_id, directly contradicting the manifest's promise of a mandatory, non-negotiable identity verification gate. This mismatch is dangerous because operators or downstream agents may rely on the manifest's stronger security guarantees while the implementation provides only weak heuristic identification, increasing the likelihood of accidental sensitive-data disclosure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The test suite explicitly validates add-user behavior, which means the skill includes authorization-list mutation in addition to identity verification. For a skill described as a mandatory security checkpoint, bundling policy-enforcement with policy-modification increases attack surface and creates a path for privilege expansion if the add-user path is exposed or misused.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Testing and therefore supporting authorization-list mutation is inconsistent with the stated purpose of immediate identity verification. In this security context, any capability that changes who is trusted can let an attacker or confused deputy convert a denied identity into an allowed one, undermining the gate entirely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill describes chat-driven initialization that can set `master_id` in `identities.json`, but it does not emphasize the authorization-state takeover risk strongly enough. In a misconfigured or spoofable DM context, an attacker could potentially claim the uninitialized system first and permanently establish themselves as the master for that channel.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal