ClawHub

Gemini

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple SkillBoss API wrapper that sends user prompts to an external LLM service, with no local installer or persistence, but users should avoid sending sensitive data.

Install only if you trust SkillBoss to process the prompts and text you submit. Use a limited API key where possible, review provider privacy and billing terms, and do not send secrets, credentials, regulated personal data, or proprietary content unless that external sharing is approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send prompts to a third-party API service, but it does not provide a clear privacy or data-handling warning. Users may unknowingly submit sensitive prompts, documents, or secrets to an external processor, creating confidentiality and compliance risks.

External Transmission

Medium
Category
Data Exfiltration
Content
SkillBoss_API_KEY = os.environ["SkillBoss_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SkillBoss_API_KEY = os.environ["SkillBoss_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
88% confidence
Finding
requests.post( "https://api.SkillBoss.co/v1/pilot", headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.SkillBoss.co/v1/pilot \
  -H "Authorization: Bearer $SkillBoss_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
89% confidence
Finding
curl -s https://api.SkillBoss.co/v1/pilot \ -H "Authorization: Bearer $SkillBoss_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
        timeout=60,
Confidence
91% confidence
Finding
https://api.SkillBoss.co/

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.SkillBoss.co/v1/pilot \
  -H "Authorization: Bearer $SkillBoss_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
89% confidence
Finding
https://api.SkillBoss.co/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal