ClawHub

performance-profiler

Security checks across malware telemetry and agentic risk

Overview

This is a performance-profiling guide with manual examples that can be risky if copied into production, but the package itself is coherent and contains only Markdown instructions.

Safe to install as a reference skill. Before using its recipes, confirm you are working on systems you are authorized to test, keep debug and pprof endpoints local or behind strong access controls, handle heap snapshots as sensitive data, get approval before database-level changes or statistic resets, and run write-heavy load tests only in staging or isolated test environments with cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example adds an HTTP endpoint that writes heap snapshots to disk, and heap snapshots can contain highly sensitive in-memory data such as credentials, tokens, session material, and user data. Although the comment says to protect it with auth, the recipe does not strongly warn against using it in production or explain the sensitivity of the output, so readers may expose a dangerous debug capability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Go pprof example starts a profiling server on :6060 without restricting the bind address or warning that /debug/pprof exposes runtime internals, goroutine dumps, heap data, and CPU profiles. If reachable by untrusted users, these endpoints can leak sensitive operational details and assist further attacks or cause performance impact during profiling.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The load test script authenticates to a target environment and performs state-changing POST requests that create tasks, while the example invocation points at a staging URL and gives no strong warning about modifying remote data. This can lead to unintended data creation, test-account misuse, noisy monitoring, and accidental execution against the wrong environment if copied carelessly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal