ClawHub
Back to skill

Security audit

Agnost AI Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Agnost analytics integration skill, with disclosed telemetry examples that users should apply carefully to avoid sending sensitive data.

Install only if you intend to integrate Agnost AI analytics. Before using the examples, decide what data is allowed to leave your system, avoid sending secrets or regulated data, minimize or pseudonymize user traits such as names and emails, and disable or redact MCP input/output capture for sensitive tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (18)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill's activation conditions are broad enough that an agent may apply it in situations beyond narrowly scoped Agnost telemetry integration, increasing the chance of inappropriate use of analytics code or guidance in unrelated contexts. While this is not an exploit primitive by itself, over-broad routing can cause accidental data collection or external transmission where it was not intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages tracking AI interactions, user inputs, outputs, and related metadata, but does not pair this with a clear privacy warning or consent/minimization guidance. In practice, this can lead implementers to send personal, confidential, or regulated data to a third-party analytics endpoint without adequate notice or controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The MCP examples enable input and output capture with `disable_input=False` and `disable_output=False`, which means tool arguments and results may be transmitted externally. MCP tool traffic frequently contains secrets, credentials, file contents, proprietary prompts, or user data, so enabling capture by default without a warning materially raises leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API reference explicitly encourages sending user metadata and event payloads, including fields like name, email, IP, args, and result, without any warning about data minimization, sensitivity, consent, or redaction. In an ingestion/analytics skill, this materially increases the chance that developers will transmit PII, secrets, prompts, tool inputs, and model outputs to a third-party service without appropriate controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The SDK reference explicitly encourages sending raw user inputs, model outputs, and user traits such as email, name, and company to a remote analytics endpoint, but it does not clearly warn about privacy implications, data minimization, consent, or handling of sensitive content. In an ingestion/analytics skill, users are likely to copy these examples directly, which can lead to unintentional transmission of PII, secrets, prompts, and model responses to third-party infrastructure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The MCP example enables telemetry with `disable_input=False` and `disable_output=False`, normalizing full capture of tool arguments and results without a clear warning that these may contain sensitive user data, internal prompts, credentials, or proprietary outputs. Because this is an implementation guide for analytics ingestion, the context increases risk: developers may deploy the example unchanged into production MCP servers and silently exfiltrate sensitive content to the analytics service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation demonstrates sending raw user input, model output, and arbitrary metadata to an analytics service without warning that these fields may contain sensitive data, secrets, or regulated content. In practice, developers often copy examples directly, so this can lead to unintentional transmission of prompts, responses, emails, and other identifiers to a third party without consent or minimization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The MCP examples enable tracking with `disableInput: false` and `disableOutput: false`, and the basic example implies default capture, without emphasizing that tool arguments and results may contain credentials, customer data, filesystem contents, or proprietary business information. Because MCP tools frequently handle highly sensitive inputs and outputs, copy-pasted defaults here can cause broad telemetry leakage to the analytics endpoint.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill promotes broad collection of conversation content and user-linked metadata for analytics without semantic limits or minimization rules. Because AI conversation streams often include sensitive prompts, personal data, internal documents, or secrets, sending them wholesale to analytics can create significant confidentiality and compliance exposure.

Ssd 3

Medium
Confidence
95% confidence
Finding
The `identify()` examples encourage attaching directly identifiable information such as name, email, company, and plan to analytics records. This increases privacy risk, expands breach impact, and may violate internal data minimization requirements when a pseudonymous identifier would suffice for most telemetry use cases.

Ssd 3

Medium
Confidence
97% confidence
Finding
Recommending MCP tracking with input and output capture enabled can expose the full data flowing through tools, including secrets, customer data, source code, and file contents. In an MCP context this is especially dangerous because tools often bridge to local systems, databases, and proprietary environments, making telemetry exfiltration more severe than ordinary app metrics.

Ssd 3

Medium
Confidence
96% confidence
Finding
The direct API examples explicitly send user email, encoded arguments, and results in telemetry payloads to an external service. This normalizes transmission of personal data and potentially sensitive operational content without showing minimization, consent, or sanitization, making accidental over-collection likely.

External Transmission

Medium
Category
Data Exfiltration
Content
}

# Create session
requests.post(
    f"{BASE_URL}/capture-session",
    headers=headers,
    json={
Confidence
91% confidence
Finding
requests.post( f"{BASE_URL}/capture-session", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
)

# Capture event
response = requests.post(
    f"{BASE_URL}/capture-event",
    headers=headers,
    json={
Confidence
94% confidence
Finding
requests.post( f"{BASE_URL}/capture-event", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
#### Example

```bash
curl -X POST https://api.agnost.ai/api/v1/capture-session \
  -H "Content-Type: application/json" \
  -H "X-Org-Id: your-org-id" \
  -d '{
Confidence
89% confidence
Finding
curl -X POST https://api.agnost.ai/api/v1/capture-session \ -H "Content-Type: application/json" \ -H "X-Org-Id: your-org-id" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
#### Example

```bash
curl -X POST https://api.agnost.ai/api/v1/capture-event \
  -H "Content-Type: application/json" \
  -H "X-Org-Id: your-org-id" \
  -d '{
Confidence
90% confidence
Finding
curl -X POST https://api.agnost.ai/api/v1/capture-event \ -H "Content-Type: application/json" \ -H "X-Org-Id: your-org-id" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
#### Example

```bash
curl -X POST https://api.agnost.ai/api/v1/capture-session \
  -H "Content-Type: application/json" \
  -H "X-Org-Id: your-org-id" \
  -d '{
Confidence
89% confidence
Finding
https://api.agnost.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
#### Example

```bash
curl -X POST https://api.agnost.ai/api/v1/capture-event \
  -H "Content-Type: application/json" \
  -H "X-Org-Id: your-org-id" \
  -d '{
Confidence
90% confidence
Finding
https://api.agnost.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal