ClawHub

Adaptive Suite

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a very broad assistant that may send sensitive user or workspace content to an external API without enough scoping or disclosure.

Review this skill before installing. Use it only if you are comfortable with a broad assistant potentially sending prompts, code, business context, or local/NAS-related content to SkillBoss. Avoid using it on confidential repositories, private documents, credentials, customer data, or sensitive storage metadata unless the publisher adds clear scope, consent, and data-handling disclosures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest describes a single skill as spanning many unrelated domains, including coding, business analysis, project management, web development, data analysis, and NAS scraping. This overbroad scope increases the chance of inappropriate activation, excessive privilege assumptions, and unsafe handling of sensitive tasks because users and orchestrators cannot clearly bound what the skill is supposed to do.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs use of an external API hub and requires an API key, but it does not disclose what user or workspace data may be transmitted, when that transmission occurs, or what third parties may receive it. In a broadly scoped adaptive skill, this omission is more dangerous because user prompts, code, business data, or NAS metadata could be routed externally without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal