ClawHub

Admapix Repo

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ad-intelligence skill that uses a provider API key to query ad and app analytics data, with no evidence of hidden persistence, destructive behavior, or unrelated data access.

Install this only if you are comfortable sending ad-search keywords, app names, and analysis requests to the AdMapix/SkillBoss service using your configured API key. Use a dedicated provider key, avoid confidential queries, and be cautious when sharing generated H5 result links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very broad terms such as "revenue" and "market analysis," which can cause the skill to activate on unrelated user requests. That increases the chance of unintended external API calls and unexpected handling of user prompts, especially because this skill is wired to autonomously query a third-party service once invoked.

Vague Triggers

Low
Confidence
84% confidence
Finding
The routing logic defaults to Creative Search when intent is uncertain and defaults to Analyze mode when uncertain, which biases the system toward action rather than clarification. In a skill that can issue external requests autonomously, ambiguous defaults increase the risk of unnecessary data transmission and unintended third-party queries.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation shows use of an API key header (`X-API-Key: $SKILLBOSS_API_KEY`) but provides no guidance on keeping the credential secret, avoiding client-side exposure, or storing it securely. In a skill/integration context, this omission can lead implementers to embed the key in front-end code, logs, screenshots, or shared examples, resulting in unauthorized API use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal