ClawHub
Back to skill

Security audit

Skill Cad Generator

Security checks across malware telemetry and agentic risk

Overview

This CAD skill appears related to its stated purpose, but it needs review because its file-writing behavior is unsafe and its documentation does not match the included code.

Install only if you trust the environment and can tolerate review-level risk. Avoid untrusted project names or element text, keep any FRP/local renderer private, and ask the publisher to add path containment, safe filename validation, overwrite protection, authentication or explicit confirmation for remote rendering, and documentation that matches the actual implementation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises operational capabilities that imply local file access and artifact generation, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: the host may not present proper consent boundaries, and reviewers/users cannot accurately assess what the skill can read or write.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior says the skill sends JSON over an FRP tunnel to a remote workstation for rendering, while the observed behavior includes local project management and export functions that are materially different and broader. This mismatch is dangerous because it hides actual capabilities, undermines user consent, and may bypass review assumptions about network use, local file creation, and data handling.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation materially differs from the declared skill behavior: instead of performing CAD parameter generation or controlled remote rendering, it accepts arbitrary action names and returns a generic success response for anything unknown. This kind of deceptive or incomplete stub can mislead orchestrators, monitoring, or higher-level agents into believing sensitive operations succeeded, which can bypass expected validation, error handling, and security controls around remote execution workflows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Stating that the skill can be called directly from AI assistant conversations without clear activation constraints increases the chance of unintended invocation on ambiguous user input. For a skill that can generate files, manage projects, or transmit data, weak invocation boundaries raise the risk of silent side effects and abuse through prompt injection or accidental triggering.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description states that user-derived model parameters are transmitted to an M4 Pro workstation via FRP, but it does not provide an explicit warning or consent step for that data transfer. Even if the endpoint is described as internal, network transmission can expose sensitive design content, prompts, or proprietary project details to another system without the user's informed approval.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Project names are used directly in filesystem paths, and save_project writes unconditionally, so an attacker or untrusted caller can overwrite arbitrary files reachable via path traversal such as ../../target. In an agent setting, this is more dangerous than a mere lack of confirmation because it enables unauthorized file modification within the process's write permissions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
DXF/SVG output filenames are derived directly from the project name and written without path sanitization, allowing path traversal and arbitrary file overwrite if a crafted project name is supplied. In this skill context, file generation is a core feature, so unsanitized write paths create a realistic avenue for damaging local state or planting files in unintended locations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "cad" is extremely broad and can match many benign user requests that merely mention CAD, causing the skill to activate outside its intended scope. In this skill, unintended activation is more concerning because it can generate parameter files and push work to a remote M4 Pro rendering pipeline, increasing the chance of unnecessary remote actions or confusing cross-skill routing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest explicitly states it will generate files and send data through an FRP tunnel to another engine, but it provides no user-facing disclosure about what data is transmitted, where outputs are written, or what side effects occur on the local system. In a skill that converts user descriptions into CAD artifacts and forwards them to a rendering service, this lack of transparency can lead to unintended disclosure of sensitive design data and unexpected file creation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requests write access to ~/DouCAD/engine/ and ~/DouCAD/output/ without any explicit notice or consent language explaining what files will be created or overwritten. Even though the paths are scoped, unauthorized or unexpected writes can overwrite project artifacts, persist unreviewed generated content, or be abused by downstream components if inputs are not tightly controlled.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal