ClawHub

public-opinion-insights

Security checks across malware telemetry and agentic risk

Overview

The skill appears to use a remote analysis service, but its handling of API keys and user-provided text is under-disclosed enough to merit review before install.

Install only if you are comfortable sending prompts and related content to the Midu service. Treat the API key as a secret, avoid committing or sharing the config file, restrict its permissions, and do not use the skill with confidential data unless the service and transport are approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to retrieve an API key over plain HTTP from an internal endpoint and then store it directly in a user config file, but it does not warn that the key is a sensitive credential or recommend file permission hardening, secret rotation, or safer secret storage. This increases the risk of credential interception in transit, accidental disclosure in dotfiles, backups, screenshots, or source control, especially because the skill depends on a reusable API key to access an external analysis service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script forwards the caller-provided message directly to a remote Midu service over the network without any disclosure, consent gate, or data-classification check. In an agent/skill context, users may provide sensitive internal incident details, names, or other confidential content that is then exfiltrated to an external service endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal