ClawHub

One API key for 70+ AI models. Route to GPT, Claude, Gemini, Qwen, Deepseek, Grok and more

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward LLM gateway client, but prompts, message history, and image links are sent to AIsa and routed through external model providers.

Install only if you trust AIsa and its routed model providers with the prompts, message history, image URLs, and metadata you choose to submit. Keep AISA_API_KEY protected, monitor usage and billing, and avoid sending secrets, private documents, internal image links, or regulated personal data unless your organization has approved that provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to send prompts and image URLs to a third-party API endpoint but does not disclose that user inputs and referenced media are transmitted off-system to an external service. In an agent skill context, this can cause users or integrators to unknowingly route sensitive prompts, documents, or image links to a remote provider, creating privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples send user prompts and, in later sections, images to a third-party endpoint, but the documentation does not warn users that their content leaves the local environment. In an agent setting, users may paste sensitive data into prompts without realizing it will be disclosed to an external provider.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs users to export an API key but gives no guidance on safe credential handling. This increases the chance of users hardcoding keys, pasting them into logs, shells, screenshots, or prompts, which can lead to credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal