ClawHub

MyVibe Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real MyVibe publishing skill, but it needs review because it installs unpinned tools, stores authorization state, uploads local content and screenshots, and can delete a user-supplied config file.

Install only if you intend to publish the selected project to MyVibe and are comfortable with network uploads, local token storage, and a global browser automation dependency. Review the project for secrets before use, confirm public versus private visibility, avoid untrusted custom hub URLs, be cautious with --config paths because successful publishes delete that file, and review generated metadata so conversation details are not accidentally published.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to globally install and execute external tooling (`agent-browser`) during the publish flow, which materially expands the code trust boundary beyond the stated task. This is dangerous because it causes arbitrary third-party code to be fetched and run with elevated network-enabled execution, potentially exposing the environment to supply-chain compromise or unintended browser automation effects.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
After a successful publish, the script unconditionally deletes the user-specified config file path with `unlinkSync(configPath)`. Because the config path is attacker- or user-controlled input from `--config`, this causes unexpected destructive behavior outside the stated publishing scope and can delete arbitrary local files that the current user has permission to remove.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The authorization flow detects which AI agent/CLI is running via environment variables and appends that identity as the tipsTitleApp query parameter during auth. This is unnecessary for a publish-only skill and creates avoidable fingerprinting of the user's tooling to the remote service, increasing metadata exposure without a clear security need.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements createVibeFromUrl(), which allows the skill to instruct the backend to fetch and publish content from an arbitrary URL even though the skill is described as publishing static HTML, ZIP archives, or directories. This expands the skill's capability beyond its stated scope and can enable server-side fetching of attacker-controlled URLs, potentially leading to SSRF-like abuse, access to internal resources via the MyVibe service, or publication of unintended remote content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to install and run a global package without any user-facing notice or approval step. Silent installation of new executable tooling is risky because it bypasses informed consent and can introduce unreviewed code execution, persistent environment changes, and network activity unrelated to the user's original expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code automatically uploads a generated screenshot of local content to a remote MyVibe hub, which can transmit sensitive information contained in the rendered page without an explicit per-action warning or consent checkpoint. In this skill context, the behavior is somewhat expected because the skill is for publishing content, but it is still risky because screenshots may expose secrets, internal URLs, tokens in rendered HTML, or unpublished/private material that the user may not realize is being sent off-host.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly authorizes using full conversation history as source material for a publishable description, which creates a real risk of leaking sensitive or private user information into public metadata. In the context of a publishing skill, this is especially dangerous because generated descriptions may be uploaded externally and become publicly visible or permanently stored.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal