ClawHub

Performance Profiling

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate operations skill, but it includes copy-paste commands that can disrupt web services or databases without enough safety guardrails.

Install only if you trust the publisher and will use it in controlled environments. Before running any load test, confirm you own or are authorized to test the target, start with low concurrency, and avoid production unless there is an approved maintenance window. Treat database termination and log-reset commands as production-impacting operations that require explicit operator review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The file provides ready-to-run HTTP stress/load-testing commands, including concurrent requests and POST examples, without clearly constraining their use to authorized targets. Because these commands can be repurposed to generate disruptive traffic against public endpoints, the skill lowers the barrier to misuse beyond passive profiling guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The PostgreSQL examples include `pg_cancel_backend(pid)` and `pg_terminate_backend(pid)` without any warning that they interrupt or forcibly terminate active sessions. In a troubleshooting guide, readers may copy these commands directly and disrupt production workloads, causing dropped connections, failed transactions, or service instability.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
`redis-cli SLOWLOG RESET` irreversibly clears Redis slow log diagnostic data, yet it is documented alongside read-only inspection commands without any caution. An operator following the cheat sheet could erase valuable forensic or performance troubleshooting evidence, hindering incident response and root-cause analysis.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The load-testing examples omit warnings that concurrent HTTP benchmarking can consume bandwidth, exhaust application resources, and degrade service availability. In a skill distributed to agents or users, the lack of explicit caution materially increases the risk of accidental denial-of-service against unintended or production targets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal