ClawHub

Buddhist Counsel

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it can send sensitive mental-health details to an external paid API and spend USDC without clear consent safeguards.

Install only if you are comfortable with an external Anicca API receiving the described situation and with Awal spending $0.01 USDC per call. Require explicit approval before each use, avoid names or other identifying health details, verify the Awal CLI and wallet setup yourself, and set spending controls where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is very broad and includes generic mental-health and emotional terms such as 'suffering,' 'anxiety,' 'depression,' and 'stuck pattern,' which can cause the skill to be invoked in many contexts beyond the user's informed intent. Because this skill sends highly sensitive mental-health disclosures to a paid third-party API, accidental invocation increases both privacy risk and unwanted payment/telemetry exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill encourages transmission of highly sensitive mental-health information, including OCD, anxiety, depression, and crisis-related context, to a remote paid API without a prominent privacy warning or consent flow. In this context, the data is especially sensitive and may include health-related information, so omission of clear disclosure about third-party processing, payment linkage, retention, and jurisdiction materially increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal