Clawhub Renderkit Skill

Security checks across malware telemetry and agentic risk

Overview

RenderKit is a straightforward helper for creating hosted pages and forms through its API, with expected third-party data sharing and API-key use.

Install only if you are comfortable giving the agent a RenderKit API key and sending selected page content, form definitions, and submissions to RenderKit. Avoid collecting secrets or sensitive personal data unless you have reviewed the provider's terms and have appropriate consent, and confirm form IDs before closing live forms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages creating hosted pages and forms and retrieving responses through a third-party API, but it does not clearly warn that user-provided content and collected submissions are transmitted to and stored by an external service. This can lead users to unknowingly send sensitive or regulated data off-platform, creating privacy, compliance, and data handling risks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documented DELETE operation closes a form but provides no warning about its destructive effect on ongoing data collection or whether the action is reversible. In operational use, this can cause accidental service disruption, lost submissions, or premature termination of a live intake process.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal