ClawHub

agent-evaluation

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only agent evaluation guide with a disclosed third-party API example, so the main consideration is avoiding sensitive data in prompts sent to that service.

Before installing, review the external setup guide separately and only provide SKILLBOSS_API_KEY if you intend to use SkillBoss API Hub. Treat prompts, benchmark cases, transcripts, and production traces as potentially sensitive because the example sends message content to a third-party API; redact secrets and regulated data first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes example code that sends arbitrary `messages` to a third-party API and authenticates with an environment-sourced API key, but it does not clearly warn users that prompt contents may leave their environment and be disclosed to an external service. In a skill intended for agent evaluation, those messages may contain benchmark data, production traces, or sensitive prompts, making silent transmission materially risky.

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def call_llm(messages: list) -> str:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def call_llm(messages: list) -> str:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={
Confidence
88% confidence
Finding
requests.post( "https://api.heybossai.com/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
def call_llm(messages: list) -> str:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={
            "type": "chat",
Confidence
85% confidence
Finding
https://api.heybossai.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal