ClawHub

Ai Drama Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent content-review tool, with optional AI-provider use that should be understood before processing sensitive scripts.

Install only if you are comfortable with a beta script-review tool. Use local mode for confidential or unpublished scripts, and enable OpenAI or Anthropic keys only when third-party AI processing of excerpts is acceptable in your workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This module explicitly sends analyzed text to OpenAI and Anthropic over the network, which is a real third-party data transfer risk because the analyzed content may contain copyrighted, sensitive, or unpublished material. In the context of a content-review skill, users may reasonably expect local or minimally scoped processing, so undisclosed external transmission increases privacy, confidentiality, and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The environment check makes unsolicited outbound requests to external domains to test connectivity, which exceeds a purely local-analysis setup and can leak usage metadata such as IP address, execution timing, and the fact that this skill was run. In restricted or privacy-sensitive environments, these calls may violate policy, trigger network monitoring, or unexpectedly fail in a way that alters behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script enumerates AI provider API-key environment variables and reports whether they are present, which is sensitive environment reconnaissance beyond the core local review function. Even without printing secrets, this reveals which providers are configured and can be used to profile the host or steer later behavior toward external services.

External Transmission

Medium
Category
Data Exfiltration
Content
}).encode("utf-8")

    req = urllib.request.Request(
        "https://api.openai.com/v1/chat/completions",
        data=payload,
        headers={
            "Authorization": f"Bearer {api_key}",
Confidence
94% confidence
Finding
https://api.openai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}).encode("utf-8")

    req = urllib.request.Request(
        "https://api.anthropic.com/v1/messages",
        data=payload,
        headers={
            "x-api-key": api_key,
Confidence
94% confidence
Finding
https://api.anthropic.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal