ClawHub

dash-cog

Security checks across malware telemetry and agentic risk

Overview

This is a coherent dashboard-generation skill, but anything you put in prompts or uploaded datasets may be sent to the SkillBoss/HeyBoss API.

Install only if you trust SkillBoss/HeyBoss with the prompts and data you provide. Use a dedicated API key if possible, redact confidential fields from CSV/Excel/business datasets, and review generated HTML/JavaScript before opening or sharing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to send prompts and potentially uploaded business data to a third-party API, but it does not clearly warn that this content leaves the local environment. In a dashboard skill, prompts may include sensitive analytics, HR, finance, or uploaded CSV/Excel data, so lack of notice materially increases privacy and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
" For complex apps: plan the component structure first, then implement each section "
            "with full interactivity, animations, and polished UX."
        )
    result = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={
            "Authorization": f"Bearer {SKILLBOSS_API_KEY}",
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
" For complex apps: plan the component structure first, then implement each section "
            "with full interactivity, animations, and polished UX."
        )
    result = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={
            "Authorization": f"Bearer {SKILLBOSS_API_KEY}",
Confidence
90% confidence
Finding
requests.post( "https://api.heybossai.com/v1/pilot", headers={ "Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json" },

External Transmission

Medium
Category
Data Exfiltration
Content
"with full interactivity, animations, and polished UX."
        )
    result = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={
            "Authorization": f"Bearer {SKILLBOSS_API_KEY}",
            "Content-Type": "application/json"
Confidence
92% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal