Back to skill

Security audit

ClawHub Publisher

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned ClawHub publishing helper, but it asks users to install unreviewed external packages and use broad publishing credentials for public release and account changes.

Review before installing. Verify the npm/PyPI package and repository provenance, pin exact versions, use a revocable least-privilege ClawHub token, run validation or dry-run first, and manually approve any publish, batch publish, rollback, Gumroad README injection, or team-member change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly promotes one-command publishing, deployment, changelog generation, and asset bundling, which implies it may modify local project files and transmit packaged project data to an external service. Because the description does not warn users about these side effects, users may invoke it without understanding that code, metadata, assets, or repository history could be uploaded or altered, increasing the risk of accidental data exposure or unintended releases.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.