ClawHub

agent-directory

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only directory skill that uses a disclosed third-party scraping API; it has privacy considerations but no hidden, persistent, destructive, or purpose-mismatched behavior in the artifacts.

Install only if you are comfortable using a SkillBoss API key and sending requested public directory or skill-file URLs to SkillBoss for scraping. Review any fetched third-party skill.md before allowing an agent to act on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes runnable examples that send authenticated requests to an external API using `SKILLBOSS_API_KEY`, but it does not clearly warn that execution will transmit data off-host to a third-party service. In an agent skill context, users or automated systems may copy or invoke these examples without realizing they are authorizing external access and disclosure of requested URLs/content.

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def pilot(body: dict) -> dict:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def pilot(body: dict) -> dict:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
90% confidence
Finding
requests.post( "https://api.heybossai.com/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def pilot(body: dict) -> dict:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
        timeout=60,
Confidence
93% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal