ClawHub

Quantum Cryptographic Seed Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent but needs review because it uses a third-party hosted service to generate passwords, tokens, seeds, and RSA prime material without enough handling guidance for those secrets.

Review this before installing if you might use it for real credentials, API keys, encryption seeds, or RSA material. Use it only when you are comfortable with AgentPMT generating and returning those values remotely, and avoid production secrets unless you have reviewed the provider's security, logging, retention, and compliance practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The activation keywords include highly generic terms such as "password", "source", and "length", which can cause the skill to trigger in unrelated contexts. Because this skill sends requests to a remote service and can generate security-sensitive material, unintended invocation can lead to unnecessary disclosure of user intent, accidental external calls, or use of a hosted service when the user did not explicitly request it.

Missing User Warnings

High
Confidence
97% confidence
Finding
The description promotes generation of seeds, tokens, passwords, and key material through AgentPMT-hosted remote tool calls but does not clearly warn that this security-sensitive material is being generated by an external service. Users may reasonably assume local generation for cryptographic secrets; this mismatch can create serious trust, confidentiality, and compliance risks if remote handling is not explicit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The schema documents generation of highly sensitive outputs such as passwords, tokens, and cryptographic seeds, but it does not warn that these values must be treated as secrets and never logged, echoed, stored insecurely, or exposed in chat transcripts. In an agent setting, this omission materially increases the chance that downstream tools, prompts, or users will mishandle generated secrets, leading to credential leakage or compromise of systems that rely on them.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal