ClawHub

Dataify Airbnb Product By Searchurl

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it handles a Dataify API token in ways that can expose it in saved shell files and generated command output.

Review this skill before installing if you care about API-token hygiene. Prefer setting DATAIFY_API_TOKEN only for the current session or through a secret manager, avoid committing shell profiles that contain tokens, and modify or avoid the helper output so it prints Authorization: Bearer $DATAIFY_API_TOKEN instead of the actual token value.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to persist an API token in shell profile files such as ~/.bashrc and ~/.zshrc without warning about local credential exposure, accidental check-in, shell history leakage, or multi-user system risks. While common, normalizing permanent plaintext storage of secrets increases the chance that the token is exposed or reused unsafely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs users to persistently store DATAIFY_API_TOKEN in shell startup files or user environment variables without warning about credential exposure risks. Long-lived secrets in profile files can be read by other local processes, accidentally committed to dotfile repositories, or inherited into unintended sessions, increasing the blast radius of token compromise.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def build_curl(tool: Dict[str, Any], spider_parameters_json: str) -> str:
    token = os.environ.get("DATAIFY_API_TOKEN", "").strip()
    if not token:
        raise SystemExit(
            "DATAIFY_API_TOKEN is not set. Sign in at https://www.dataify.com/ to obtain it, then export it as an environment variable."
Confidence
96% confidence
Finding
os.environ.get("DATAIFY_API_TOKEN

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal