ClawHub

alv-gemini

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only skill for sending user prompts to a declared third-party LLM API, with no hidden install, persistence, or unrelated access.

Install only if you trust SkillBoss API Hub and are comfortable sending prompts and supplied text to that service. Use a dedicated, least-privilege API key, and avoid sending secrets, regulated data, or internal-only material unless your policies allow it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send prompts to a third-party LLM API but does not warn that prompt contents will leave the local environment and be processed by an external service. This can cause inadvertent disclosure of sensitive data, especially in agent settings where prompts may contain private documents, credentials, or internal context.

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.heybossai.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
92% confidence
Finding
requests.post( "https://api.heybossai.com/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.heybossai.com/v1/pilot \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
90% confidence
Finding
curl -s https://api.heybossai.com/v1/pilot \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.heybossai.com/v1/pilot \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
90% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal