ClawHub

APM 상품 라이브러리 검색 API

Security checks across malware telemetry and agentic risk

Overview

This skill is a read-only product search helper that calls a disclosed public APMZoom API, with the main caution being that image URLs are sent to that service.

Install only if you are comfortable using worker.apmzoom.ai for product search. Use public, non-sensitive image URLs and avoid signed CDN links, intranet URLs, private storage links, or URLs that reveal account, customer, or proprietary inventory information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to send an externally hosted image URL to a third-party public API but provides no privacy or data-sharing notice. Even though the API is read-only and public, submitted image URLs may reveal sensitive product assets, internal CDN locations, user-associated media, or proprietary inventory information, creating avoidable confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents image-URL-based search but does not warn that any user-supplied image URL will be transmitted to the external service at worker.apmzoom.ai, and may also cause that service to fetch third-party resources. This creates a privacy and data-handling risk because users or downstream agents may unknowingly disclose sensitive image URLs, signed URLs, or internal resource locations to an external provider.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill asks users to provide an external image URL and states the backend endpoint it will call, but it does not clearly warn that the supplied URL will be transmitted to a third-party service. This can cause unintentional disclosure of sensitive or private image links, especially if users paste pre-signed, internal, or otherwise access-controlled URLs under the assumption that processing is local or trust-equivalent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal