ClawHub

Self zkID verification

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Self identity-verification guide, but its examples handle very sensitive passport and ID data without enough privacy and on-chain exposure guardrails.

Install only after reviewing the privacy implications. Prefer predicate checks such as minimum age or sanctions status over raw identity fields, avoid passport or ID numbers unless legally required, do not log or retain disclosed attributes by default, define deletion and access controls, and do not store or emit raw personal data on-chain. Also ensure mock-passport or staging settings are disabled in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The example explicitly extracts disclosed identity attributes such as nationality, name, date of birth, and gender from the verification result without any privacy warning, minimization guidance, or handling constraints. In an identity/KYC context, this can lead integrators to over-collect, log, persist, or reuse sensitive personal data beyond what is necessary, increasing privacy, compliance, and breach risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly encourages decoding and using highly sensitive identity attributes such as name, nationality, date of birth, gender, and ID number in an on-chain verification hook, but provides no warning that putting or deriving this data on-chain can permanently expose personal data and create severe privacy, compliance, and doxxing risks. In the context of a privacy-first identity protocol, this omission is especially dangerous because users and developers may assume the integration preserves privacy by default while the example normalizes broad disclosure handling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly encourages requesting and transmitting highly sensitive identity disclosures derived from passports/ID documents, including name, date of birth, document number, nationality, and sanctions-screening results, but does not pair that guidance with privacy, retention, consent, or minimization warnings. In an identity-verification skill, this omission is dangerous because integrators may over-collect regulated personal data and send it to backend endpoints without clear user notice or safe-handling requirements, increasing privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal