ClawHub

Chinese Sensitive Words

Security checks across malware telemetry and agentic risk

Overview

It appears to do what it says, but text you check is sent to its online API.

Install only if you are comfortable sending checked copy to the configured API service. Avoid submitting confidential, regulated, or unpublished business text unless you trust the provider or configure SENSITIVE_WORDS_API_BASE to a private service, and keep any SENSITIVE_WORDS_TOKEN private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script transmits user-supplied text to a remote third-party API and may also send a bearer token, but it does not clearly warn the user that their input leaves the local machine. Because this skill is marketed for scanning marketing copy, scripts, and other potentially sensitive business content, users could unknowingly disclose private or regulated data to an external service.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends a network request to a remote host by default without an explicit runtime warning or consent, and the configured endpoint is a third-party domain. In the context of a content-scanning/compliance skill, users may reasonably assume processing is local; this can expose queried terms, usage patterns, and any associated token to an external service without clear disclosure.

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# Call API
HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" \
  -X POST \
  "${HEADERS[@]}" \
  -d "$PAYLOAD" \
Confidence
98% confidence
Finding
curl -s -w "\n%{http_code}" \ -X POST \ "${HEADERS[@]}" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal