ClawHub

Startup Validator

Security checks across malware telemetry and agentic risk

Overview

This startup-planning skill is a local helper with no evidence of exfiltration or destructive behavior, but it saves command text locally.

Install only if you are comfortable with startup ideas or market details entered on the command line being saved in the skill's local JSON file. Avoid passing secrets, API keys, or confidential strategy as arguments, and treat the tool as a lightweight template/helper rather than an automated market validator.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The validate command stores raw CLI arguments in a JSON file on disk without any notice, consent, or filtering. CLI arguments often contain sensitive business ideas, API keys, credentials, or personal data, and persisting them increases exposure through local file access, backups, logs, or source-controlled data directories.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The compete command also writes joined CLI arguments directly to disk, creating the same privacy and secret-retention risk. Competitive analysis prompts may contain proprietary market research, internal strategy, or credentials pasted by users, so silent persistence can leak sensitive information beyond the current invocation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The mvp command persists all supplied arguments into a shared JSON data file without warning. Users may pass product specs, environment values, tokens, or confidential implementation details on the command line, and storing them unredacted broadens the attack surface if the filesystem or backups are accessed.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal