ClawHub

Tmp.SizDUenTrO

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent, but it gives an agent credentialed access to student-linked Artsonia data and account-changing actions without clear confirmation or privacy guardrails.

Install only if you intend to connect your own Artsonia parent/fan account. Review the external artsonia-mcp package before supplying credentials, and require explicit confirmation before viewing student-linked information, posting comments, inviting fans, or changing notification settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill trigger language is broad enough to activate on ordinary requests about a child's artwork or student portfolio, which can cause the agent to invoke a credentialed third-party service unnecessarily. In this context, the skill operates on student-related content and authenticated family/social features, so over-triggering increases the chance of unintended access to private student information or account-affecting actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation states that it logs in with username/password, maintains a session cookie, and exposes tools for reading student-linked data and performing social/account actions, but it does not warn about privacy sensitivity or require explicit user confirmation for impactful operations. Because this concerns student artwork, fan relationships, comments, and notification settings, missing privacy and action-safety guidance makes unintended disclosure or unauthorized account changes more likely.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal