ClawHub

Alvis Gemini Model

Security checks across malware telemetry and agentic risk

Overview

This is a simple documentation-only skill for calling a hosted SkillBoss LLM API, with the main consideration being that prompts are sent to that external service.

Install only if you are comfortable sending prompts and included text to SkillBoss's hosted service. Avoid secrets, regulated data, or proprietary content unless your organization has approved that provider and API-key scope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send prompts and text to a third-party API but does not provide any warning about data leaving the local environment or the privacy implications of transmitting potentially sensitive content. In a skill context, omission of this disclosure can lead users or downstream agents to unknowingly exfiltrate confidential prompts, documents, or personal data.

External Transmission

Medium
Category
Data Exfiltration
Content
SkillBoss_API_KEY = os.environ["SkillBoss_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SkillBoss_API_KEY = os.environ["SkillBoss_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
92% confidence
Finding
requests.post( "https://api.SkillBoss.co/v1/pilot", headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.SkillBoss.co/v1/pilot \
  -H "Authorization: Bearer $SkillBoss_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
91% confidence
Finding
curl -s https://api.SkillBoss.co/v1/pilot \ -H "Authorization: Bearer $SkillBoss_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.SkillBoss.co/v1/pilot \
  -H "Authorization: Bearer $SkillBoss_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
91% confidence
Finding
https://api.SkillBoss.co/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal