ClawHub

Decision Advisor

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward AI decision helper that sends decision details to a configured LLM, with no evidence of hidden access, persistence, or unrelated behavior.

Install is reasonable if you are comfortable with your configured LLM provider seeing the decision details you pass in. Do not include confidential business plans, financial details, legal issues, personal data, or trade secrets unless your provider configuration and retention policy are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends user-provided decision content, option text, and free-form context directly to an LLM in generateOptions without any consent gate, minimization, or disclosure. Because decision-support workflows often contain sensitive business, financial, legal, or personal details, this can expose confidential information to an external model provider unexpectedly.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
When no criteria are supplied, the skill makes another LLM call using the decision text, again without warning the user that their data will be transmitted. This increases exposure because even users who only expect local criteria defaults may have sensitive decision topics sent off-box implicitly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The scoring loop repeatedly sends each option, criterion, decision, and context to the LLM, multiplying the amount of potentially sensitive data disclosed and increasing provider-side retention/logging risk. In this decision-advisor context, the repeated calls can reveal strategic plans or personal circumstances across many prompts, making the exposure more dangerous than a single one-off transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal