ClawHub

Clawpod

Security checks across malware telemetry and agentic risk

Overview

ClawPod is a disclosed third-party web-unblocking and Google search skill, with privacy and acceptable-use cautions users should understand before using it.

Install only if you are comfortable sending requested URLs, search terms, and fetched page content to Massive's Unblocker service. Avoid secrets, private or internal URLs, credential-bearing links, regulated data, and scraping where you lack authorization; review the provider's terms, logging, and retention practices first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to send arbitrary URLs or search queries plus a bearer token to a third-party anti-bot/proxy service, but it does not clearly warn that user-supplied inputs and fetched content are transmitted to an external provider. In an agent setting, this can lead to unintentional disclosure of sensitive URLs, internal endpoints, search terms, or credentials-derived metadata to the service, especially because the skill is explicitly designed to bypass access controls and geo-restrictions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly routes user-supplied URLs and search queries, along with an authorization token, to a third-party proxy/unblocker service, but it does not disclose the privacy, retention, or data-sharing implications. This is risky because users may provide sensitive targets or queries under the assumption the agent is fetching directly, while the service can observe request metadata and potentially returned content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal