ClawHub

AgentReach

Security checks across malware telemetry and agentic risk

Overview

This is a small marketing kit with templates and a simple ClawHub publish helper; its higher-risk actions are disclosed and fit the stated purpose.

Before installing or using it, inspect the publish script, confirm the target directory and metadata, and remember that publishing may upload your skill contents to ClawHub. Use the outreach lists responsibly and avoid automated or unsolicited bulk messaging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs users to execute a 1-click publish script against their own skill folder without describing what the script does, what resources it accesses, or what deployment side effects may occur. In a security-sensitive packaging context, encouraging blind execution of an unpublished shell script increases the risk of unintended deployment, credential misuse, data exfiltration, or modification of user projects if the script is later found to be unsafe.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs an external publication action immediately via `clawhub publish` without any confirmation prompt, dry-run mode, or explicit user-facing warning that content will be pushed to a remote service. This is dangerous because a user or calling automation can accidentally publish the wrong directory, version, or metadata, causing unintended disclosure or irreversible release of artifacts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal