ClawHub

Sahabat Bumil ๐Ÿคฐ

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Indonesian pregnancy information skill with quality caveats, but no hidden access, persistence, credential use, or malicious behavior was found.

Install only if you want Indonesia-focused pregnancy, nutrition, BPJS, MBG, hospital, and budgeting reference material. Do not use it as medical or legal/financial authority; confirm symptoms, medications, benefits, hospital costs, and program eligibility with qualified professionals or official sources. Avoid running the packaging script unless you review it first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script performs `rm -rf $PACKAGE_DIR` without confirmation or safety checks, and the variable is unquoted. While `PACKAGE_DIR` is hardcoded here, destructive deletion in packaging scripts can still cause unintended data loss if the variable is empty, altered, or expanded unexpectedly during modification or reuse. In the context of a local packaging helper, this is more likely negligent than malicious, but it is still unsafe shell practice.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The module-level description explicitly frames the skill around Jakarta hospitals and Indonesian nutrition/financial guidance, which hard-codes a locale-specific scope without any visible user consent, locale detection, or disclaimer that the advice is region-limited. In a pregnancy-support context, users outside Indonesia could receive inapplicable hospital, insurance, and nutrition guidance, leading to unsafe or misleading health and financial decisions.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The help text presents Jakarta- and Indonesia-specific hospital and nutrition features as the default command surface, without offering a way to choose another locale or warning that results are geographically constrained. Because this is a pregnancy-related assistant, that design can cause users to over-trust local medical and insurance recommendations that do not apply to them, increasing the chance of harmful misinformation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal