ClawHub

Bring Add

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Bring! shopping-list CLI that uses disclosed account credentials to add requested items, with no evidence of hidden persistence, exfiltration, or unrelated behavior.

Install only in a trusted local environment. Treat BRING_EMAIL and BRING_PASSWORD as secrets, avoid putting them in shared shell history, CI logs, or committed files, unset them after use, and use --dry-run or --list when you want to avoid changing the wrong shopping list.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to export `BRING_PASSWORD` directly into their shell environment without any warning about credential exposure. Environment variables can be visible in shell history, process listings, logs, CI environments, or inherited by child processes, so documenting this pattern without safer guidance increases the risk of accidental secret disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation tells users to export BRING_EMAIL and BRING_PASSWORD directly in the shell without any warning about shell history, process environment exposure, shared-session leakage, or safer secret-storage options. Because this skill handles account credentials for a third-party service, normalizing plaintext environment-variable setup increases the chance of accidental credential disclosure in developer machines, CI logs, or multi-user environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal