ClawHub

Environment Doc Author

Security checks across malware telemetry and agentic risk

Overview

The skill is a real environment-documentation tool, but its custom probe files can run arbitrary local commands and its outputs can persist sensitive machine details.

Install only if you want an agent to inspect and document the local development environment. Review any probe file like executable code before running it, and inspect generated JSON/Markdown before sharing or committing because it may contain hostnames, local paths, PATH entries, command output, and environment variable values.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script accepts `extraProbeData.checks` from a probe file and executes each `check.command` via `runCommand` with optional `cwd` and timeout. Because the probe file is external input and there is no allowlist or restriction to passive fact-gathering commands, anyone who can influence that file can trigger arbitrary local command execution, which exceeds the stated environment-detection purpose and can lead to code execution under the user's privileges.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The optional probe file can define arbitrary `checks` commands, and `run_checks` executes them directly via `subprocess.run`. In a skill whose stated purpose is environment verification and document generation, this creates a broad command-execution surface where a crafted probe file can run any local program, potentially causing side effects, data access, or persistence beyond mere fact gathering.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly defines a `checks` mechanism whose `command` array is executed exactly as provided, and it gives examples that invoke system utilities and shell interpreters. In the context of an agent skill that verifies local environment facts, this creates a real risk that users or downstream agents will run arbitrary local commands from a probe file without a clear warning, trust boundary, or safety constraints.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`collectEnvironmentVariables` copies raw values of many environment variables into the snapshot, including paths and potentially sensitive variables added by baseline or probe data. Environment variables frequently contain usernames, home directories, internal paths, tokens, or service endpoints, so writing them verbatim to output can disclose local secrets or sensitive host metadata if the file is shared, logged, or committed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The generated snapshot includes hostname, OS details, working directory, locale, PATH-derived entries, selected executables, and tool details, and may be written to disk automatically via `--output`. This creates a detailed fingerprint of the local machine and project layout, which can aid targeted attacks or unintentionally leak sensitive infrastructure and developer environment information when the artifact is exposed.

Missing User Warnings

High
Confidence
98% confidence
Finding
`collect_environment_variables` captures raw values for a large set of environment variables and later writes them into the snapshot JSON. These values can reveal usernames, home directories, internal install paths, virtualenv locations, and sometimes secrets or secret-adjacent configuration, creating an unnecessary local data exposure risk when printed to stdout or saved to disk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script emits a JSON snapshot containing hostname, cwd, platform details, PATH-derived entries, and other host context either to stdout or to a file without any warning. In agent workflows, stdout and generated artifacts are often ingested, logged, or shared, so this can leak machine-identifying and filesystem information beyond the immediate user context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal