ClawHub

OpenAI-Compatible LLM Gateway

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using a paid third-party LLM gateway; its external data transfer and payment flow are disclosed, but users should review privacy terms before sending sensitive prompts.

Install only if you are comfortable routing prompts, messages, and any payment-related API use through gocreativeai.com. Do not send secrets, regulated data, customer data, or internal business context until you have reviewed the provider's privacy, retention, logging, and downstream model-provider terms. If your agent can make arbitrary HTTP calls, consider restricting it to the LLM endpoints you actually intend to use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a narrow OpenAI-compatible LLM gateway, but it also advertises access to a much broader API surface including data and compliance tooling. That scope expansion can mislead users and agents into trusting a base URL that may enable unintended external lookups, broader data disclosure, or actions beyond simple text completion.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to send prompts and chat messages to a third-party gateway without warning that potentially sensitive user, system, or business data will leave the local environment. In agent settings, this can cause confidential prompts, conversation history, or embedded secrets to be transmitted to an external provider without informed consent.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Advertising bundled compliance and real-world data tools on the same API without warning about privacy and operational consequences can encourage agents to perform external lookups implicitly. This increases the chance of unintended disclosure of user queries, identifiers, or investigative context to third-party systems.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal