ClawHub

webhook-post-task

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a webhook utility, but it can send arbitrary local file contents to arbitrary remote URLs without clear safety guidance.

Install only if you need a generic webhook sender and are comfortable checking every destination URL and payload yourself. Do not use it with secrets, credentials, personal data, private documents, or untrusted webhook URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script exposes generic outbound network capabilities via both arbitrary URL fetches and arbitrary HTTP POSTs to user-supplied endpoints, without any domain restrictions, purpose limitation, or safety checks. In an agent-skill context, this is dangerous because it can be repurposed for SSRF, exfiltration of local file contents through POST, or contacting attacker-controlled infrastructure under the guise of a generic utility.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs users to send a local JSON file to an external webhook but provides no warning about data sensitivity, destination trust, authentication, or approval requirements. This can lead users to exfiltrate local data to arbitrary third-party endpoints, especially because the workflow normalizes network transmission as a routine step.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code reads an arbitrary local file from --payload and transmits its contents to an arbitrary remote endpoint with no disclosure, consent flow, or destination validation. In practice this creates a straightforward exfiltration primitive: any sensitive file accessible to the process could be posted to an attacker-controlled server.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal