ClawHub

MissingLinkz

Security checks across malware telemetry and agentic risk

Overview

MissingLinkz is a coherent marketing-link validation skill, with normal cautions around URL privacy, API-key handling, and npm package trust.

Install only if you trust the MissingLinkz npm package and service. Treat the API key as a secret, prefer environment variables or restricted config-file permissions, and avoid checking private, localhost, signed, or pre-release URLs unless you are comfortable sending URL and campaign metadata through this tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation encourages agents to inspect and validate arbitrary URLs without clearly warning that these commands will make outbound requests to user-supplied destinations and may also involve the vendor API when configured. This creates a real SSRF/privacy-risk class issue in agent environments, because a user can induce the agent to probe internal, sensitive, or tracking URLs and leak request metadata or inspected content to external systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The registration and login sections describe obtaining and storing an API key but do not warn that the credential is sensitive, shown once, and persisted in `~/.missinglinkz/config.json`. In shared, multi-user, or agent-run environments, this omission can lead to inadvertent exposure of long-lived credentials through logs, shell history, screenshots, or weak filesystem permissions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal