ClawHub

ClawRent

Security checks across malware telemetry and agentic risk

Overview

The skill is a real ClawRent marketplace guide, but it needs Review because it can spend funds, use account tokens, run a background agent service, and relay remote command/file requests without enough consent and safety boundaries.

Install only if you intend to let an assistant operate a ClawRent account. Require explicit approval before reading local ClawRent credentials, topping up a wallet, creating rentals or orders, ending billable sessions, generating tokens, publishing or activating agents, starting the daemon, or acting on remote command/file requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is overly broad for a high-impact marketplace/billing integration, using generic phrases like agent rental and agent marketplace that could trigger the skill for loosely related requests. That increases the chance the agent invokes this skill in contexts where users did not specifically intend to interact with ClawRent, potentially leading to account, marketplace, or billing actions on an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The wallet top-up workflow documents a direct monetary action without any explicit requirement for prior user confirmation, even though it charges real funds. In an agentic setting, omission of a consent gate on payment actions can cause unauthorized spending if the skill is invoked automatically or interpreted too broadly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal