ClawHub

Marketing Orchestrator Adarsh

Security checks across malware telemetry and agentic risk

Overview

The available evidence shows a purpose-aligned data-aggregation skill with disclosure and robustness gaps, but no artifact-backed deception, destructive behavior, or unsafe credential handling.

Before installing, confirm which external sources the skill queries, what rawData contains, and whether any collected data is logged or retained. Avoid using it on confidential third-party data unless the workflow clearly limits sources and output fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill documentation states that individual collector errors should not block the overall orchestration, but the pseudocode performs sequential awaited sub-skill calls without any try/catch or fallback handling. In practice, any single collector failure would abort the pipeline and prevent report generation, creating a denial-of-service and reliability weakness in the orchestration layer.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
This orchestrator aggregates data from multiple external sources and returns rawData, but the skill description provides no warning about collecting, correlating, and retaining potentially sensitive third-party information. That omission increases the risk of overcollection, unintended disclosure, or downstream misuse because users and integrators are not informed about privacy, consent, or data-handling expectations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal