ClawHub

Zip Unzip File Compression 100mb

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote AgentPMT zip/gzip tool that uploads archives and extracted files to cloud storage, so it is appropriate for non-sensitive large-file workflows but not local-only data.

Install this only if you are comfortable sending selected archives and extracted files to AgentPMT cloud services. Do not use it for secrets, customer data, regulated records, proprietary files, or anything that must stay local unless your organization has approved AgentPMT's storage, access, retention, and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill advertises very broad activation keywords, including generic terms like 'compress' and 'archive format', which can cause the skill to be invoked in contexts where the user did not intend to upload or transform files through this remote service. Because this skill transmits file contents to external cloud storage and returns signed URLs, accidental invocation increases the risk of unintended data disclosure and misuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description and early sections do not prominently warn that both input archives and extracted outputs are uploaded to cloud storage and exposed via signed URLs. A user or agent may reasonably assume compression is local, causing sensitive files to be sent off-platform without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The schema explicitly states that all extracted files are uploaded to cloud storage during decompression, but it does not present this as a prominent privacy or data-handling warning. Users may reasonably expect local-style archive extraction semantics, so sensitive contents inside archives could be disclosed to remote storage unexpectedly, creating confidentiality and compliance risks.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal