ClawHub

Writing Agent Human Style

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AgentPMT-hosted writing tool that sends user-provided writing inputs to a remote service, with no evidence of hidden local execution, publishing, or destructive behavior.

Install only if you are comfortable sending the topic, posts, brand guidance, examples, and source material you provide to AgentPMT for processing. Do not include secrets, wallet keys, payment headers, confidential business material, or regulated personal data unless your policies allow it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The schema explicitly documents external POST endpoints and encourages callers to send user-supplied topic, context, source material, and posts to a third-party service, but it provides no user-facing disclosure or warning about that data leaving the local trust boundary. This creates a real privacy and data-handling risk because agents may forward sensitive prompts, proprietary source material, or third-party content to an external API without the user's informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This action accepts arbitrary social post content and sends it for remote processing, but the schema omits any warning that third-party text may be transmitted to an external service. That is dangerous because posts may contain personal data, confidential business communications, or licensed content, and users are not alerted that the material will be shared outside their environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal