ClawHub

Post and manage errands for human workers

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says, but it can create paid errands and approve submissions that release USDC without a clear confirmation guardrail.

Review before installing. Use a scoped or revocable ErrandAI API key if possible, keep ERRANDAI_API_URL pointed at the official service, require manual confirmation outside the skill before posting paid errands or approving submissions, and avoid auto-approval or scheduled paid workflows unless you have spending limits and audit controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README demonstrates approval and rejection actions that can trigger payment release, but it provides no guidance to require explicit confirmation or to warn users that these actions are irreversible. In an agent-driven workflow, this increases the chance of accidental approvals, mistaken payouts, or prompt-induced misuse causing financial loss.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The natural-language trigger patterns are broad enough to overlap with ordinary conversation, increasing the chance that the assistant invokes the skill unintentionally. In this skill, accidental invocation is more dangerous than usual because the skill can create errands and initiate financial workflows tied to real-world work and payments.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation says approving a submission releases payment, but it does not clearly warn that this action is irreversible or financially sensitive. That omission can cause users or agents to approve work casually, leading to unintended transfer of USDC with little chance of recovery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When posting an errand, the skill sends parsed task details plus contextual metadata such as user ID, channel, and timestamp to an external API without explicit user notice or consent. In an agent setting, this can leak sensitive operational or identity metadata to a third party and may cause users to disclose location or task details they did not realize would be transmitted externally.

Missing User Warnings

High
Confidence
95% confidence
Finding
The review flow can approve a submission and release payment based solely on a natural-language command match, with no confirmation, preview, or secondary check. Because approval is explicitly irreversible and tied to financial transfer, accidental invocation, prompt manipulation, or ambiguous parsing could cause unauthorized payment release or improper rejection.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest requires an API key and declares network/API permissions for a third-party service, but it does not clearly warn users that errand details and related data will be transmitted off-platform to ErrandAI. This creates a transparency and consent problem: users may provide sensitive task details, locations, or submission content without realizing they are being sent to an external service.

Vague Triggers

Low
Confidence
77% confidence
Finding
The command trigger is broader and less specific than its examples, which increases the chance that approval/rejection phrases are matched unexpectedly or routed ambiguously. In a workflow that can approve or reject human work submissions, accidental invocation could cause unintended state-changing actions or reviewer mistakes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal