ClawHub

moss

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Moss semantic search skill with disclosed search, indexing, credential, and sync concepts that fit its stated purpose.

Installing this as a reference skill is reasonable. Before using the Moss service it documents, protect project keys, avoid exposing them in client code or logs, confirm whether retrieval and sync stay local or use cloud services, and require clear user intent before indexing sensitive content or deleting documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The workflow recommends automatically querying Moss on each user message and injecting retrieval context, but it does not warn that user prompts may be transmitted to external or cloud-backed retrieval services depending on deployment. In voice-agent and conversational settings, this can lead to unintentional processing of sensitive user data and increases privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation instructs users to set project IDs and access keys and to send the project key in headers, but it omits basic secret-handling guidance such as secure storage, least privilege, and avoiding exposure in client-side contexts. In an agent-skill setting, such omissions can lead developers to embed long-lived credentials in prompts, repos, logs, or browser code, enabling unauthorized access to indexes and document operations.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal