ClawHub

Api Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill that lists public API examples; the main risk is that using the examples sends lookup data to third-party services.

Reasonable to install as a public API reference. Before using it, avoid sending confidential addresses, internal URLs, private IPs, sensitive domains, or business-sensitive finance queries to the listed third-party services unless sharing that data with those providers is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ipapi example queries `https://ipapi.co/json/`, which causes the third-party service to learn the caller's current public IP and infer location metadata without any warning in the skill. In an agent context, this can disclose the runtime environment's network identity and approximate location, which may reveal infrastructure or user context unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `urlmeta` section encourages submitting arbitrary URLs to an external metadata service but does not warn that user-supplied URLs will be transmitted off-platform. If agents pass sensitive internal, pre-release, or user-private links, this can leak confidential URLs and associated browsing intent to a third party.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal