ClawHub

hardware-info

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward hardware-report helper, but its reports can expose device identifiers if shared.

Install only if you want broad local hardware inventory. Review the generated report before sharing it, and redact serial numbers, UUIDs, MAC addresses, Activation Lock status, and other identifiers. Decline sudo or administrator prompts unless you specifically need the extra hardware detail.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs collection of serial numbers, UUIDs, MAC addresses, and Activation Lock status as part of a default hardware report. These identifiers are sensitive and often unnecessary for answering generic hardware-info requests; exposing them increases privacy risk, device tracking risk, and potential abuse in support impersonation or asset targeting.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad and map many common expressions directly to a comprehensive hardware-enumeration workflow. This raises the chance of accidental activation and over-collection, causing the skill to gather far more system information than the user likely intended from casual queries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill tells the agent to directly collect and display sensitive device identifiers in a full report without warning the user about privacy implications. In this context, the omission is dangerous because the skill is designed for broad, default disclosure of system and network identity data rather than narrowly tailored troubleshooting.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The note suggesting use of sudo to overcome permission issues encourages privilege escalation without adequate safeguards or warnings. In a skill that already performs broad host enumeration, this increases the risk of collecting protected data, expanding blast radius, and normalizing elevated execution for routine requests.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill mandates collection and presentation of uniquely identifying device and network data by default in a comprehensive report. Because the skill context is a general hardware-info assistant rather than a tightly scoped asset-management or forensic tool, this default behavior is unnecessarily dangerous and increases privacy exposure for routine user queries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal