ClawHub

APM 인증 센터 API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only APM authentication API reference; it handles sensitive login data by design, but the behavior is disclosed and purpose-aligned.

Install only if you intend to let the agent help with this APM authentication API. Use least-privilege accounts, avoid admin credentials unless necessary, do not log or share passwords, SMS/email codes, access tokens, or refresh tokens, and confirm before sending verification codes or using login flows that may create accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs users to store an access token in the APM_USER_TOKEN environment variable and reuse it in authenticated requests, but gives no warning about token sensitivity, rotation, shell history exposure, logging, or least-privilege handling. In an authentication-centric skill, this increases the chance of credential leakage through terminal history, process listings, shared environments, or accidental debug output, which could enable unauthorized API access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes a deterministic signing formula using MD5(account + login_pwd + 'sjpOkkmhm9ds').toUpperCase(), which embeds a static secret directly in documentation and derives the signature from the user's password. This is dangerous because MD5 is cryptographically weak, the hardcoded secret can be reused by anyone reading the skill, and password-derived request signing increases the risk of credential misuse, replay-style abuse, and propagation of sensitive authentication material into client code.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs users to submit account credentials and obtain access and refresh tokens, but it does not warn that these are highly sensitive secrets or describe storage, redaction, and privacy handling expectations. In an agent context, this omission increases the risk of credential/token exposure through logs, traces, chat history, or unintended downstream use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents transmitting a user's email address to an external API to send signup verification codes, but it does not warn the operator or user that personally identifiable information will be sent off-platform. In an agent context, this can lead to privacy violations, surprise data disclosure, and misuse if email addresses are submitted without informed consent or clear confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents transmission of a user's phone number and related login metadata to a remote third-party API but does not warn the operator that personal data will be sent off-system. This can lead to uninformed handling of sensitive personal data, privacy violations, and compliance issues, especially because the endpoint triggers SMS-based authentication activity tied to a real user identity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents transmission of phone-related registration data to a remote API endpoint but does not warn users that personally identifiable information, including telephone number and regional metadata, will be sent off-platform. In an authentication context this increases privacy and consent risk, especially because the endpoint can trigger SMS delivery and process sensitive contact data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states that using this login flow will automatically create an account if none exists, but the quick-reference style documentation does not prominently warn about that side effect at the point of use. In an agent context, this can cause unintended account creation and token issuance for a phone number, which is a meaningful security and consent risk even if it is not a code-execution flaw.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs callers to transmit an access token and states that successful validation returns user information, but it provides no warning about sensitive-token handling, minimization, or output redaction. In an authentication context, this increases the risk of token leakage, unsafe logging, or exposing returned identity data to unintended consumers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal