ClawHub

Agent Render Linking

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill creates shareable browser-rendered artifact links, with the main caution that the link itself contains the shared content.

Use this for non-sensitive artifacts you intend to share. Treat each generated URL as containing the artifact itself: anyone with the full link may be able to view the content, so avoid secrets, credentials, confidential files, or regulated data unless the user explicitly accepts that sharing model.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger guidance is broad enough to activate on generic requests like sharing, rendering, or weak chat formatting, which can cause the skill to handle content outside the user’s intended scope. In this skill’s context, misactivation is more concerning because it can route arbitrary artifacts into externally hosted links, increasing the chance of unintended disclosure or unnecessary third-party data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not clearly warn that artifact contents are embedded in a URL fragment and then shared through a public external domain, which can mislead users into thinking this is equivalent to local rendering or private sharing. Even if the service is described as zero-retention, the generated link is still a bearer artifact that can be copied, logged by clients, exposed in screenshots, or shared unintentionally, making disclosure risk significant for sensitive content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal