ClawHub

Dataify Indeed Companies Info

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Dataify/Indeed data collection, but it needs Review because its token-handling instructions expose a Dataify API token through command-line arguments and may save it locally.

Install only if you are comfortable sending Indeed company collection parameters to Dataify and using a Dataify API token. Avoid pasting the token into command-line arguments; prefer an environment variable or a secure secret mechanism, and only save the token locally if you understand where it will be stored and how to remove it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to access environment variables for `DATAIFY_API_TOKEN` and make outbound network requests to Dataify, but it does not declare corresponding permissions. That mismatch weakens governance and user awareness: an agent may handle secrets and exfiltrate user-supplied or environment-stored data to an external API without an explicit permission boundary.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is broad enough to match generic verbs like 'gather', 'fetch', or 'collect', which can cause the skill to activate for ordinary requests that are not clearly asking for Indeed scraping. In this context, mistaken activation is risky because the skill can initiate external scraping workflows and send parameters to a third-party API, potentially causing unintended data transfer or actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal