ClawHub

Cloud Cost Audit

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed cloud cost audit guide, but users should sanitize billing and infrastructure details before sharing them.

Install is reasonable if you want cloud cost analysis, but provide the minimum necessary data. Redact secrets, account IDs where possible, customer information, internal hostnames, and sensitive architecture details before sharing billing exports or screenshots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README instructs users to provide 'any cloud cost data' including billing exports, architecture descriptions, or stack/team details, which is a very broad trigger and data scope for invoking the skill. This can lead to unintended use on sensitive financial, infrastructure, or potentially regulated operational data without clear boundaries, increasing the chance of oversharing or misuse in automated agent workflows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly invites users to provide cloud billing exports, cost management data, and architecture descriptions, which commonly contain sensitive financial, operational, and infrastructure details. Because the prompt provides no warning, minimization guidance, or redaction instructions, users may overshare account identifiers, internal topology, usage patterns, or commercially sensitive spend data that could increase privacy, security, or competitive risk if mishandled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal