ClawHub

quantum-computing

Security checks across malware telemetry and agentic risk

Overview

This is a coherent UnifiedQuantum helper skill, with disclosed environment checks and cloud-token guidance that fit its stated quantum-computing purpose.

Install this if you want agent help with UnifiedQuantum. Review commands before allowing package installs or real cloud submissions, use dummy mode for tests when possible, and treat OriginQ, Quafu, or IBM tokens as sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill content directs the agent to inspect the user's environment, check module paths, CLI availability, configuration files, and potentially install packages or use cloud/task tooling, which implies file read/write and network-capable behavior. Because no permissions are explicitly declared, the platform and user are not given a clear trust boundary for these operations, increasing the risk of unintended local changes, config access, or external connectivity during troubleshooting flows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs users to store a cloud token in `~/.uniqc/uniqc.yml` but does not warn that this is a sensitive secret, should be protected with restrictive file permissions, and should not be committed, logged, or shared. In a CLI workflow guide, this omission can lead users to persist credentials insecurely or expose them through shell history, screenshots, backups, or source control.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal