ClawHub
Back to skill

Security audit

Clarity Annotate

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: list and submit protein variant annotations to Clarity Protocol using user-provided API keys.

Install this only if you intend to let the agent interact with Clarity Protocol. Keep API keys scoped where possible, provide the write key only in trusted sessions, and review annotation content before allowing submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

External Transmission

Medium
Category
Data Exfiltration
Content
url = API_BASE + endpoint

    try:
        response = requests.post(
            url,
            json=data,
            headers=get_headers(write=True),
Confidence
80% confidence
Finding
requests.post( url, json=

Env Variable Harvesting

High
Category
Data Exfiltration
Content
}

    if write:
        api_key = os.environ.get("CLARITY_WRITE_API_KEY")
        if not api_key:
            print("Error: CLARITY_WRITE_API_KEY environment variable is required for write operations.", file=sys.stderr)
            print("\nSet it with:", file=sys.stderr)
Confidence
70% confidence
Finding
os.environ.get("CLARITY_WRITE_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
sys.exit(1)
        headers["X-API-Key"] = api_key
    else:
        api_key = os.environ.get("CLARITY_API_KEY")
        if api_key:
            headers["X-API-Key"] = api_key
Confidence
70% confidence
Finding
os.environ.get("CLARITY_API_KEY

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal