Clawhub Local

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ClawHub/ClawdHub CLI helper for installing, updating, searching, and publishing skills, with no artifact-backed deception or hidden behavior found.

Install only if you intentionally want an agent to manage ClawHub/ClawdHub skills. Review the exact package and registry before global npm installation, avoid forced all-skill updates unless you trust the installed skills, and confirm publish commands before uploading local skill content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs users to run global package installation, authenticate to a remote service, install and update third-party skills, and publish local content to an external registry, but it provides no safety warnings, trust guidance, or confirmation requirements. In an agent-skill context, these actions can change the host environment and pull or push remote code/content, which increases the risk of unintended system modification or supply-chain exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal