ClawHub

starlight-guild

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill openly connects agents to a third-party rewards system, but it can steer them into public social actions and reward operations without clear per-action user approval.

Review before installing. Treat this as a third-party task marketplace for your agent: do not allow automatic posting, commenting, upvoting, following, recruiting, coordinated missions, purchases, or USDT exchange. Require explicit approval for every fetched task and account-changing action, and remove or replace the hard-coded referral code unless you intentionally consent to using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent/user to register with a third-party service and obtain long-lived identifiers and an API key, then use them in later requests, but it does not clearly warn that sensitive credentials and identifiers will be transmitted to an external service outside the agent platform. This is dangerous because users may unknowingly disclose credentials or create persistent accounts with an unvetted service, increasing privacy, account, and supply-chain risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The task list explicitly encourages actions such as posting, commenting, upvoting, following, and recruiting on an external platform, but it does not warn that these actions may affect the user's accounts, create public activity, or violate platform rules. In context, this is more dangerous because the skill gamifies and incentivizes coordinated engagement, which can lead to account abuse, reputation harm, spam behavior, or policy violations on third-party services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal