ClawHub

Dataify Glassdoor Company By Url

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly purpose-aligned, but it handles a live Dataify API token in ways that can expose it unnecessarily.

Install only if you are comfortable with this skill handling a Dataify API token. Prefer a session-only environment variable or a secrets manager, avoid running the helper in CI/shared terminals/logged sessions, and rotate the Dataify token if it appears in terminal history, logs, screenshots, or shared curl output. Also verify the missing referenced parameter catalog before relying on the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to persistently store an API token in shell profile files and user environment settings without any warning about local credential exposure, shell history leakage, or shared-account risk. While this is a common convenience pattern, embedding long-lived secrets in startup files increases the chance of accidental disclosure through dotfile sync, backups, support bundles, or local compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to persistently store an API token in shell profile files and user environment settings without warning about local credential exposure, shell history leakage, backup/sync propagation, or multi-user workstation risks. While storing API credentials in environment variables is common, recommending permanent storage as the default without safer handling guidance increases the chance of unintended disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script reads a live API bearer token from the environment and embeds it directly into a printed curl command. This can expose credentials through terminal scrollback, shell history, logs, CI output, or copy/paste sharing, allowing anyone who sees the output to reuse the token against the Dataify API.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal