ClawHub

Ai Task Hub

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides remote AI media/document processing and account points queries, with the main user consideration being that selected files and account-continuity identifiers go to the BinaryWorks gateway.

Install only if you are comfortable sending selected images, audio, video, documents, text inputs, and points-account requests to BinaryWorks for processing. Avoid sensitive or regulated files unless your host clearly asks for consent, keep entry_user_key private, and review any separate connector package before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims only enabled public capabilities are advertised, but the execute input accepts any arbitrary capability string with no enum or schema restriction. If the backend relies on client-side guidance rather than strict server-side validation, an agent could invoke undocumented or internal capabilities, potentially bypassing intended exposure boundaries and accessing higher-risk functions. In this context, the risk is increased because the skill includes account-linked execution, media handling, and broader AI operations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill exposes account connection, balance, and ledger actions that go beyond the stated task-processing scope, increasing the privilege and data-access surface without clear necessity. In an agent setting, this can enable unexpected access to billing metadata and account state, violating least privilege and creating a pathway for sensitive financial/account operations through a skill users may trust only for media processing.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code instructs users or hosts to install a local command connector, which expands execution trust from a remote task API into local-machine command execution infrastructure. Even if framed as setup guidance, introducing a local connector materially increases attack surface and can lead to host compromise or unauthorized local access if the connector or bootstrap flow is abused.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The API documentation states that uploaded attachment bytes may be forwarded through the public bridge, but user-facing guidance focuses on hiding internal mechanics rather than clearly surfacing that user media will be transmitted to a third-party service. This can lead to users or host integrators sending sensitive images, audio, PDFs, or video without meaningful informed consent. The risk is heightened because the skill processes potentially sensitive biometric, document, and speech data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The spec instructs hosts to persist and reuse entry_user_key to maintain stable account continuity, but it does not pair that persistence with an explicit user warning about ongoing account linkage across sessions or conversations. This creates a privacy and consent risk: users may not realize that future actions are being tied to the same external account identity, enabling cross-session tracking or unintended account reuse. The danger is greater here because the linked account governs balances, ledger history, and execution continuity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code uploads raw attachment bytes plus identifiers such as entry_host, agent_uid, conversation_id, and optionally entry_user_key to an external bridge endpoint without any explicit consent, allowlist enforcement, or minimization in this function. In an agent skill that handles user-supplied media, that creates a real data-exfiltration/privacy risk if callers do not clearly understand that local attachment data and conversation metadata will be transferred off-host.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Public bridge requests include bridge-context identifiers such as entry host, agent UID, conversation ID, and entry user key, but this file shows no explicit user-facing notice or consent boundary around transmitting them. These identifiers can be sensitive session-linking material; silent forwarding risks correlation, session misuse, or disclosure of cross-system context beyond what the user expects from an AI media-processing skill.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill automatically resolves and uploads attachment candidates through a public bridge before execution, with no visible disclosure in this file that user-provided files may be transferred to another service endpoint. In a skill handling images/audio/documents, silent forwarding of attachments can expose sensitive content and create privacy, compliance, and data-governance risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal