ClawHub
Back to skill

Security audit

Global Digital Economy Connectivity Data

Security checks across malware telemetry and agentic risk

Overview

This is a text-only remote data-query skill with no hidden execution, though its e-government capability is overstated and users should know requests go to AgentPMT.

Install this if you want an AgentPMT-hosted tool for World Bank-style digital economy indicators. Avoid sending confidential investigation context in country/region queries, expect AgentPMT network calls and credit usage, and do not rely on the e_government option for EGDI or readiness scores unless live schema confirms support.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description advertises e-government readiness analysis, but later documentation states the `e_government` aspect returns an empty indicator set. This mismatch can cause agents or users to rely on nonexistent functionality and produce incorrect decisions or fabricated analysis, which is a security-relevant integrity issue.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Listing e-government readiness as a supported use case contradicts the note that the feature returns no indicator data. In an agent setting, this can misroute tasks to the skill and encourage unsupported outputs, creating integrity and trust problems rather than direct code execution risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill provides concrete MCP/REST invocation examples to external AgentPMT services, but the disclosure that user requests leave the local environment is weak and fragmented. Users or agents may send sensitive prompts, country lists tied to internal investigations, or other contextual data to third-party endpoints without informed consent or proper minimization.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal