ClawHub

Beepack API Registry

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed Beepack package-discovery helper, but users should be careful about what project details they send to the external service.

Install only if you want your agent to consult Beepack during integration or API-client work. Before submitting feedback or suggestions, remove secrets, API keys, internal URLs, proprietary code, customer data, and sensitive business context; review any third-party package instructions before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill uses broad activation language such as 'Before coding any new integration, utility, or API client, search Beepack first,' which can cause it to trigger on a wide range of normal coding tasks. That creates unnecessary external dependency lookups and increases the chance the agent will pull in third-party code or instructions from package READMEs without sufficient trust boundaries or user intent confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages submitting feedback and suggestions containing project-specific details like adaptations, edge cases, use cases, and code diffs, but provides no warning against sharing secrets, internal architecture, proprietary logic, or customer data. In practice, users or agents could exfiltrate sensitive information to an external service while trying to be helpful, especially when reporting fixes or usage context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal