ClawHub

Clawhub Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent external claim-checking helper, but users should treat submitted claims and the optional MCP package as third-party trust decisions.

Use this only for claims you are comfortable sending to a third-party service. Do not submit secrets, private business facts, personal data, health/legal/financial-account details, or regulated information without separate review. Treat the optional MCP npm package and paid x402/USDC use as separate trust decisions before installing or paying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill adds a referral-credit mechanism unrelated to claim verification, creating an incentive for the agent to route traffic to this external service for self-benefit. That can bias tool selection and encourage unnecessary data transmission, especially when users are not explicitly informed about the economic incentive.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill claims it can verify 'any factual claim' without defining allowed categories, sensitivity boundaries, or user-consent requirements. Such broad scope increases the chance that agents will send confidential, regulated, or unnecessary user content to the external service under the guise of verification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation describes claim verification but does not clearly warn that user-supplied claims are transmitted to an external live service. This omission can cause agents or users to disclose sensitive or proprietary information without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal