ClawHub

NEXUS Data Profile

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real paid data-profiling service, but it needs Review because it can send dataset contents and payment credentials to a third-party API without clear auto-invocation or spend guardrails.

Install only if you trust NEXUS with the datasets you profile and are comfortable with paid remote calls. Avoid using it for secrets, proprietary data, personal data, or regulated records unless you have reviewed the provider's terms, retention practices, and payment limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README states the skill is 'automatically invoked' when a matching task is detected, but provides no concrete trigger boundaries, approval requirements, or data-scope limitations. In an agent setting, ambiguous auto-invocation increases the chance that sensitive datasets are sent to the remote profiling service without clear user intent or informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to POST input to a hosted external service but does not warn that dataset contents leave the local environment and are transmitted to a third party. For a data-profiling skill, this is especially risky because profiling commonly involves real datasets that may contain proprietary, personal, or regulated information.

External Transmission

Medium
Category
Data Exfiltration
Content
### API Call

```bash
curl -X POST https://ai-service-hub-15.emergent.host/api/original-services/data-profile \
  -H "Content-Type: application/json" \
  -H "X-Payment-Proof: $NEXUS_PAYMENT_PROOF" \
  -d '{
Confidence
92% confidence
Finding
curl -X POST https://ai-service-hub-15.emergent.host/api/original-services/data-profile \ -H "Content-Type: application/json" \ -H "X-Payment-Proof: $NEXUS_PAYMENT_PROOF" \ -d

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal