ClawHub

StickyHive

Security checks across malware telemetry and agentic risk

Overview

StickyHive appears to be a coherent community-management CLI, but it gives agents live authority to publish, delete, trigger workflows, enroll members, and manage webhooks without built-in confirmation guardrails.

Install only if you intend to let an agent operate live StickyHive-connected communities. Use a test or least-privilege API key where possible, avoid exposing the key in prompts or logs, and require explicit review before publishing, deleting, toggling or running workflows, changing enrollments, or creating/deleting webhooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes destructive and high-impact operations such as deleting posts, deleting workflows, deleting sequences, publishing immediately, toggling automations, enrolling members, and creating webhooks, but provides no warnings, approval gates, or irreversibility notices. In an agent context, this is risky because a model could translate a broad user request into real changes affecting live communities, member communications, and integrations without adequate confirmation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI exposes state-changing and destructive operations such as deleting posts, workflows, sequences, and webhooks, as well as publish/run/toggle actions, without any confirmation prompt, dry-run safeguard, or explicit warning. In an agent-executed context, a mistaken invocation, prompt injection, or parameter mix-up can immediately cause irreversible or hard-to-reverse changes in a user's external community systems.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal