ClawHub
Back to skill

Security audit

AI Engineer

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only AI engineering guide, but users should be careful before copying examples that send data to AI providers or log full prompts and outputs.

Safe to install as a guide. Before using the examples in production, avoid sending confidential documents or user queries to hosted AI services without approval, do not store raw prompts or completions unless necessary, redact secrets and personal data, and set retention/deletion controls for vector stores, memories, and logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples explicitly send document chunks and user queries to external providers for embeddings and chat completion, but they do not warn that potentially sensitive internal content will leave the local environment. In an AI-engineering skill, users are likely to copy these patterns directly into prototypes or production systems, which can cause unintended disclosure of proprietary or regulated data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to 'Log everything' encourages indiscriminate logging of prompts, completions, and related metadata without any safeguard for secrets, personal data, or confidential business content. In AI systems, prompts and outputs often contain sensitive user data, making broad logging a common source of data leakage, excessive retention, and compliance violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal