ClawHub

Shieldapi

Security checks across malware telemetry and agentic risk

Overview

ShieldAPI is a disclosed security lookup skill that sends selected indicators to an external paid API, with privacy and payment cautions but no hidden execution or malicious behavior found.

Use demo mode first, set wallet/payment limits before enabling paid x402 calls, and avoid submitting secrets, confidential internal URLs, sensitive prompts, private emails, or internal infrastructure indicators unless you accept ShieldAPI's external processing and logging practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Low
Confidence
88% confidence
Finding
The skill description is broad and markets many security-related capabilities without clearly constraining when the skill should be invoked. In agent ecosystems, vague invocation criteria can cause over-triggering on sensitive inputs such as passwords, emails, URLs, domains, or prompts, increasing the chance of unnecessary external transmission and paid requests to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly states that scanned domains, URLs, and IPs are actively logged to build a global security graph, but it does not present a strong pre-use warning or consent requirement before agents send such data. This creates a real privacy and confidentiality risk because user-provided or internal infrastructure indicators may be disclosed to a third party, and the security-focused context makes accidental transmission of sensitive investigation artifacts more likely, not less.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal