ClawHub

API Rate Manager

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward in-memory API retry and queue helper, but users should be careful because it can repeat API calls they provide.

Install this only if you want API calls you explicitly provide to be retried or queued. Use conservative maxRetries and queueSize values, avoid retrying non-idempotent actions such as purchases, deletes, posts, or installs without safeguards, and monitor usage on paid APIs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation clearly describes making outbound API requests to third-party services, but the skill does not declare corresponding permissions. This creates a transparency and policy gap: users and hosting platforms cannot accurately assess what network-capable behavior the skill may perform, increasing the risk of unexpected data transmission or API usage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automatic retries and request queuing but does not warn users that requests may be deferred and executed later, potentially after context has changed. In an agent setting, delayed execution can cause unintended API actions, duplicate operations, or spending/side effects to occur outside the user's expected timing window.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes automatic retries, queued execution, and batch processing without a prominent warning that these features can generate additional outbound requests, consume API credits, and resend user data to external providers. In practice, this can amplify cost, duplicate side effects on non-idempotent endpoints, and increase unintended data exposure.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal