ClawHub
Back to skill

Security audit

Text Manipulation And Converter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent remote text-processing skill, with the main caution that text submitted for conversion is sent to AgentPMT and may consume credits.

Install this only if you intend to use AgentPMT for remote text manipulation. Avoid sending secrets, regulated data, private code, customer data, or confidential pasted text unless you are comfortable with AgentPMT processing it, and prefer explicit invocation so generic cleanup requests do not trigger paid remote calls unexpectedly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation keywords include broad, ordinary phrases such as cleaning text, formatting widths, and adding quotes, which can cause the skill to trigger for routine user requests unrelated to an informed choice to use a remote third-party service. In this skill's context, over-triggering is security-relevant because invocation sends user-provided text to AgentPMT-hosted endpoints, increasing the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The top-level description markets harmless text utilities but does not clearly and prominently warn that the user's text is transmitted to a remote AgentPMT-hosted service. Because users may submit sensitive pasted content for manipulation, insufficient disclosure can lead to accidental exfiltration of confidential text to an external processor.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal