ClawHub

DataHub Unified Data Layer

Security checks across malware telemetry and agentic risk

Overview

This is a financial data access helper with disclosed external data-source use and no hidden executable payload, though users should be careful with credentials and query privacy.

Install this only if you intend to use DataHub for financial research data retrieval. Treat configured API keys and cookies as sensitive, avoid confidential research queries unless the providers are approved for that use, and prefer local or explicitly chosen sources when privacy matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases in the metadata are broad enough to match ordinary user requests like '获取数据' or '查行情', which can cause the skill to activate unexpectedly and route user requests into this skill without clear user intent. In a network-backed skill that fans out to many external data sources, over-activation increases the chance of unnecessary external requests and unintended disclosure of query content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The 'When to Activate' section uses underspecified conditions such as general requests for financial data, natural-language queries, or building a pipeline, which overlap with many normal assistant tasks. Because this skill is designed to query numerous external services, ambiguous activation logic can cause silent external access when the user may have expected a local or purely conversational response.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises retrieval from 14 data sources and supports natural-language queries, but it does not warn users that their prompts or identifiers may be sent to third-party services. This creates a privacy and transparency risk because users may unknowingly disclose sensitive research interests, securities being analyzed, or other query content to external providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API key and credential configuration section encourages integration with multiple third-party services, including cookie-based access, without any warning about credential sensitivity, storage, or outbound service access. This can lead to insecure handling of secrets and accidental use of third-party services under the user's credentials without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal