ClawHub

Data Format Validation

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed remote data-format validation tool, but users should avoid sending real payment or banking data unless necessary.

Install only if you are comfortable sending validation inputs to AgentPMT-hosted MCP/REST services. Do not submit real full credit card numbers, IBANs, phone numbers, or other personal data unless the workflow requires it and you understand the service’s privacy, logging, billing, and retention terms; use test, masked, or minimal values when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages sending sensitive personal and financial data such as credit card numbers, IBANs, phone numbers, emails, and URLs to an AgentPMT-hosted remote validation service, but it does not provide a clear, prominent warning that this data leaves the local environment. Users may unknowingly transmit regulated or highly sensitive data to a third party, creating privacy, compliance, and data-handling risk even if the service itself is legitimate.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The credit-card validation action explicitly accepts full payment card numbers but provides no warning to avoid sending real PAN data or to minimize retention/logging. In an agent ecosystem using remote tool calls, this increases the risk that highly sensitive payment data is unnecessarily transmitted, logged, or handled outside compliant payment-processing controls.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The IBAN validation action accepts sensitive banking identifiers yet does not warn users about privacy, secure handling, or avoidance of unnecessary transmission to remote services. This can lead agents or users to send real banking data through external validation flows without clear safeguards, increasing exposure in logs, telemetry, or third-party systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal