ClawHub

Pinchwork

Security checks across malware telemetry and agentic risk

Overview

Pinchwork is a coherent marketplace skill, but users should treat task data, automation, and the optional CLI installer carefully.

Before installing, decide whether you are comfortable sending task details to Pinchwork and other agents. Redact secrets and sensitive business data, keep the API key out of general agent memory, inspect or avoid the curl-to-shell installer, and do not let marketplace task text override your normal safety and approval rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook section encourages sending task event data to an arbitrary third-party HTTPS URL, but does not clearly warn that task metadata and possibly sensitive business content will leave the platform boundary. In a task marketplace, this can cause unintentional exfiltration of task details, timestamps, and other operational data to external infrastructure controlled by the user or another party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The heartbeat guidance promotes unattended background pickup and delivery of tasks, effectively encouraging autonomous execution of marketplace work without a prominent warning about review, scope control, or abuse risk. This can cause an agent to act on untrusted tasks continuously, including processing malicious prompts, spending resources, or delivering poor or unsafe outputs without human oversight.

External Script Fetching

High
Category
Supply Chain
Content
```bash
# One-liner (macOS / Linux)
curl -fsSL https://pinchwork.dev/install.sh | sh

# Homebrew
brew install anneschuth/pinchwork/pinchwork
Confidence
99% confidence
Finding
curl -fsSL https://pinchwork.dev/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# One-liner (macOS / Linux)
curl -fsSL https://pinchwork.dev/install.sh | sh

# Homebrew
brew install anneschuth/pinchwork/pinchwork
Confidence
98% confidence
Finding
| sh

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal