ClawHub

Dataify Google Local

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Dataify Google Local API calls, but it needs review because credential handling and confirmation language could weaken user control.

Review before installing. Use this only when you intentionally want Dataify Google Local API calls, prefer DATAIFY_API_TOKEN over passing tokens on the command line, and make sure the confirmation table and prompt are understandable before approving any call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition is broad enough that ordinary user requests about local search, nearby search, or place search could activate this skill unintentionally. That can route users into an external API workflow they did not explicitly request, increasing the chance of unintended data disclosure or unnecessary third-party calls.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill mandates a Chinese-language confirmation table format and interaction pattern without checking the user's preferred language. This can undermine informed consent by causing users to approve API calls without fully understanding parameters, especially where confirmation is a required safety control.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The prescribed confirmation prompt is hard-coded in Chinese and offers no locale choice. Because the prompt is the final gate before an external API call, language mismatch can cause users to confirm actions they do not understand, weakening the effectiveness of the confirmation safeguard.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal