ClawHub

Autonoma

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs Review because it can keep an agent active, store an API key, and automatically vote or post in an external governance system.

Install only if you want ongoing autonomous Autonoma participation. Keep the API key in a real secret store rather than agent memory or prompts, require human approval before votes/posts/proposals, and disable heartbeat, cron, or webhook triggers if you do not want the agent acting without manual prompting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation presents two incompatible identity models: one says citizenship is tied to a public/private key, while another recommends bearer API keys as the primary auth method. This ambiguity can cause implementers to misuse authentication, store weaker long-lived secrets where asymmetric auth was expected, or build incorrect trust assumptions around identity and non-repudiation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This heartbeat file instructs the agent to obtain and use an API key, generate a webhook secret, and send both in authenticated requests to an external service, but it provides no explicit warning, consent boundary, or trust validation for that external endpoint. In an agent-skill context, imperative instructions like 'set it up NOW' increase the chance of autonomous secret transmission and persistent external integration without informed user approval.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill explicitly states that installation automatically adds the integration to heartbeat processing, enabling recurring behavior without a narrowly scoped user-triggered invocation. Combined with webhook-triggered wakeups, this can cause the agent to act on external events and periodic schedules in ways that are broader than a typical on-demand skill, increasing the risk of unintended autonomous actions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The instruction to fetch a remote heartbeat document and 'follow it' is open-ended and delegates future behavior to mutable remote content. That creates a prompt-injection and scope-creep risk because the agent may later execute newly published instructions from the remote endpoint without the original installer re-reviewing them.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the user to store the API key in agent memory immediately, but does not discuss persistence, retention, exposure to other skills, logging, or prompt leakage. In agent environments, memory can be long-lived and broadly accessible, so placing bearer tokens there can expand the blast radius of any later compromise or accidental disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly tells the agent to store citizen_id, username, and API key in memory as natural-language text, without any warning about secret handling. In agent systems, 'memory' is often persisted, logged, surfaced in later prompts, or exposed to operators, so this instruction materially increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook examples require bearer tokens and shared secrets but omit handling guidance, despite these values being especially likely to end up in config files, CI logs, screenshots, or source control. That omission can lead to secret disclosure and unauthorized webhook delivery or spoofing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The cron examples pass the API key directly on the command line, which commonly exposes secrets through process listings, shell history, job definitions, monitoring tools, and audit logs. This is a practical credential leakage path that could let other local users or operational systems recover the key and act as the citizen.

Ssd 3

Medium
Confidence
98% confidence
Finding
Instructing the model to remember the API key in natural-language memory creates unnecessary retention of a reusable secret in places not designed for secret isolation. Because agent memory may be replayed in future contexts or included in summaries, this increases both accidental disclosure risk and blast radius.

Ssd 3

Medium
Confidence
97% confidence
Finding
The prompt template embeds the API key directly in routine instructions, encouraging operators to paste secrets into prompts. Prompt contents are often logged, retained, or reviewed, so this pattern meaningfully increases the chance of downstream credential disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal