ClawHub

SWOTPal SWOT Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide legitimate SWOT analysis, but its cloud/API mode can send and store sensitive business inputs remotely without clear consent or data-handling disclosure.

Review this carefully before installing. Use Pro/cloud features only if you are comfortable sending SWOT topics, prompts, outputs, and saved analyses to SWOTPal. Avoid confidential strategy or internal company data unless the publisher documents retention, deletion, access controls, and a clear local-only or opt-out path. Protect and rotate the API key if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises cloud sync and saving analyses to a SWOTPal account, which implies user prompts and generated content are transmitted to a remote service, but it does not clearly and prominently warn users about that data flow. In a business-analysis skill, users may submit confidential strategic plans, competitor assessments, or internal company information, so undisclosed remote transmission creates a meaningful privacy and data-handling risk.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README instructs users to export an API key in an environment variable but gives no guidance on protecting the secret, such as avoiding hardcoding, shell history leakage, screenshots, shared terminals, or committing credentials to files. This is a lower-severity issue because environment variables are a standard mechanism, but incomplete handling guidance can still contribute to credential exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-provided topics and may retrieve saved analyses from a remote API, yet the instructions do not require any explicit notice or consent before transmitting potentially sensitive business information off-platform. In a strategy-analysis context, users may submit confidential company plans, competitive assessments, or internal topics, so silent transmission materially increases privacy and data-handling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal