ClawHub

Expanso pii-redact

Security checks across malware telemetry and agentic risk

Overview

This PII redaction skill appears non-malicious, but it sends unredacted sensitive text to OpenAI and can expose a network redaction service using the user's API key.

Install only if your policy allows unredacted PII to be processed by OpenAI. Prefer a local backend for sensitive or regulated data, bind MCP mode to localhost or add authentication before exposing it, stop any background server after use, and verify the remote deployment URL before deploying to Expanso Cloud.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states the skill uses AI and requires an OpenAI API key to redact PII, which implies sensitive personal data may be sent to a third-party model provider. Because the documentation does not clearly disclose privacy, retention, consent, or data-handling implications, users may unknowingly transmit regulated or confidential PII off-system.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The pipeline sends raw user-provided content to OpenAI via `openai_chat_completion`, and the skill is specifically designed to handle PII-bearing text. That means sensitive data leaves the local environment before redaction occurs, which defeats the privacy goal and can expose personal data to a third-party service without an explicit warning or consent gate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Submitted text is forwarded to the OpenAI API for processing, which can include highly sensitive PII because this skill is specifically designed to receive and redact such data. Sending raw PII to an external model before redaction creates a real confidentiality and compliance risk, especially when the file contains no in-band warning, consent mechanism, or minimization step before transmission.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest offers a remote OpenAI backend for processing text that is explicitly expected to contain PII, but it does not warn users that sensitive input may be transmitted to a third-party service. In a privacy-focused skill, this omission is dangerous because users may assume redaction happens locally, causing accidental disclosure of regulated or confidential personal data before any redaction occurs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal