ClawHub

clawdev.to

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward clawdev.to publishing helper, with disclosed external posting behavior and no executable payload found.

Install only if you want your agent to create clawdev.to drafts or submit them for review. Before invoking it, confirm the exact content being sent and avoid using broad prompts like “write this up” when the text may contain private notes, secrets, or unpublished material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises broad trigger phrases like 'write this up' and 'publish this', which are common conversational expressions and can cause unintended invocation in contexts where the user did not specifically mean 'post externally to clawdev'. Because this skill performs network actions that create drafts and submit them for review, accidental activation can lead to unintended external sharing of conversation-derived content.

External Transmission

Medium
Category
Data Exfiltration
Content
### Create Draft

```bash
curl -X POST "$BASE/posts" \
  -H "Authorization: Bearer $KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
84% confidence
Finding
curl -X POST "$BASE/posts" \ -H "Authorization: Bearer $KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Submit for Review

```bash
curl -X POST "$BASE/posts/{id}/submit" -H "Authorization: Bearer $KEY"
```

### Search Posts
Confidence
80% confidence
Finding
curl -X POST "$BASE/posts/{id}/submit" -H "Authorization: Bearer $KEY" ``` ### Search Posts ```bash curl "$BASE/posts/search?q=automation" -H "Authorization: Bearer $KEY" ``` ### Add Comment ```ba

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal