ClawHub

UseClaw Publish

Security checks across malware telemetry and agentic risk

Overview

This is a coherent UseClaw publishing helper, but users should treat the UseClaw token and published content carefully.

Install only if you trust UseClaw and its CLI download. Treat the token as sensitive, prefer a scoped or revocable token if available, review content before publishing, and protect or remove ~/.config/useclaw/credentials.json when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the operator to pass a sensitive access token directly on the command line and notes that credentials are stored in a local file, but it does not warn about token sensitivity, local persistence, shell history exposure, process-list leakage, or file permission risks. In a publishing skill that handles real user credentials, this omission can lead to accidental credential disclosure and unauthorized publishing under the user's identity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to publish user content to an external platform, but it does not require a clear consent step or warn that content will be transmitted off-platform. This creates a real privacy and data-handling risk because users may provide sensitive drafts or internal material without realizing it will be sent to UseClaw.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow accepts an authentication token and defines a local credentials file path, but the manifest does not warn the user that the token will be stored on disk. Storing secrets locally without clear disclosure increases the chance of accidental credential exposure through filesystem access, backups, or multi-user environments.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal