ClawHub

Unified LLM Gateway - One API for 70+ AI models. Route to GPT, Claude, Gemini, Qwen, Deepseek, Grok and more

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward LLM gateway client that sends user-provided prompts and image references to the documented AIsa API using a user-provided API key.

Use a dedicated, revocable AISA_API_KEY and set spending limits if available. Do not send secrets, regulated data, private documents, screenshots, or sensitive image URLs unless you have reviewed and accept AIsa's privacy, retention, routing, and billing terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly instructs users to send prompts and image URLs to a third-party gateway service, but it provides no warning that prompts, images, and related metadata will leave the local environment and be processed by an external provider. In an agent setting, this can lead to unintentional disclosure of sensitive user data, proprietary prompts, or internal URLs because users may assume they are interacting directly with a model vendor rather than an aggregation service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The chat-completions documentation shows prompts and conversation contents being POSTed to an external API but does not plainly warn users that all submitted text is transmitted to a third party for processing. This omission can cause operators to send sensitive prompts, system messages, or proprietary data without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The vision section instructs users to submit image URLs or base64 image data to the external API without warning that the referenced images or raw image bytes leave the local environment. This is particularly risky because images may contain sensitive documents, screenshots, faces, location data, or embedded metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal