ClawHub

Crypto Encoder Pro

Security checks across malware telemetry and agentic risk

Overview

This is a local crypto and encoding helper with no network, file persistence, or automatic install behavior, but users should avoid feeding real secrets into the sample history-logging code.

Install only if you are comfortable with a local helper for encoding and hashing. Do not paste real passwords, bearer tokens, API keys, JWTs, or other secrets into the provided sample code unless you remove or disable the in-memory history logging first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill logs user inputs and outputs into an in-memory history without warning, including potentially sensitive material such as passwords, tokens, JWT contents, secrets, or raw plaintext submitted for encoding and hashing. In a crypto/encoding utility, users are especially likely to supply sensitive values, so undisclosed retention materially increases the risk of inadvertent disclosure through debugging, later prompts, or downstream logging.

Ssd 3

Medium
Confidence
98% confidence
Finding
The _log method stores plaintext fragments of both input and output for every operation, which can capture secrets such as access tokens, passwords, HMAC material, decoded data, or personally sensitive content. Because this skill is specifically designed for cryptographic and encoding workflows, the context makes the retention more dangerous: users are likely to process exactly the kinds of secrets that should never be stored in plain form.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal