ClawHub

智护 AIOps

Security checks across malware telemetry and agentic risk

Overview

This AIOps skill appears purpose-aligned, but it handles platform and SSH credentials and can automatically create monitoring assets without enough safety guidance.

Review before installing in any real environment. Only use it with a trusted Zhihu AIOps backend, least-privilege platform credentials, and explicit user approval before connectivity tests or asset creation. Treat platform passwords, bearer tokens, SSH usernames/passwords, asset inventories, IPs, and telemetry as sensitive; do not paste them into shared prompts, logs, generated scripts, or reports unless properly redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says the release is documentation/reference-only, but this file instructs the agent to perform live authentication, connectivity testing, and asset creation against platform APIs. That mismatch can cause an agent or reviewer to underestimate that the skill performs state-changing operations and handles secrets, increasing the chance of unintended execution in production environments.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Although the document says passwords should be masked when displayed, the workflow requires collecting SSH credentials and sending them in cleartext request bodies, and the result template also displays the username. This creates a risk of credential exposure via logs, transcripts, shell history, debugging output, or agent tool traces, especially because the guidance does not prohibit echoing raw request bodies or command lines.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs operators to supply and use highly sensitive credentials, including platform login secrets and target host passwords, but does not include concrete guidance to avoid logging, echoing, persisting, or exposing those values during use. In an agent-driven workflow, this increases the chance that secrets are copied into prompts, shell history, generated scripts, debug output, or reports, leading to credential leakage and downstream unauthorized access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the user to provide an SSH password and later sends it to the platform backend for connectivity testing and monitor creation, but it does not clearly disclose that the credential will be transmitted to a remote service. That omission undermines informed consent and can violate credential-handling expectations or internal policy, especially when the backend URL may be environment-controlled.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to obtain a Bearer Token and query managed asset and SNMP monitoring data, but it provides no warning about credential handling, authorization boundaries, or the sensitivity of infrastructure inventory and telemetry. In an AIOps context, this can normalize unsafe sharing or reuse of tokens and can lead to unnecessary exposure of internal device inventories, monitoring coverage, and operational state.

VirusTotal

54/54 vendors flagged this plugin as clean.

View on VirusTotal