ClawHub

strikeradar

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed StrikeRadar API wrapper with no evidence of credential access, local data collection, persistence, or destructive behavior.

Install if you are comfortable with the skill querying api.usstrikeradar.com through node/npx. Treat its risk scores as informational only, especially because the topic is sensitive and the skill itself says not to rely on them for personal, financial, or safety decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises 'No dependencies needed' and declares no permissions, yet it invokes a TypeScript script that clearly depends on external data sources such as news, Cloudflare Radar, oil prices, flight traffic, Polymarket, and Pentagon activity. That means the skill has undeclared network capability, reducing transparency and preventing proper review of what outbound connections and data flows occur at runtime.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrases include broad terms like 'Iran situation' and related geopolitical wording that can match ordinary news or discussion requests, causing the skill to activate outside a narrowly intended use case. In this context, overbroad activation is risky because the skill surfaces speculative strike-probability outputs about an active conflict topic, which can mislead users or override more appropriate general-purpose handling.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal