ClawHub

PostMe Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward deployment helper that uploads the selected web files to PostMe, with some caution needed around what folder and API endpoint are used.

Install this only if you intend to publish files to PostMe. Deploy a reviewed public build folder or single HTML file, not a project root containing .env files, secrets, private assets, or proprietary source you do not want uploaded. Keep POSTME_API_KEY in an environment or secret store and use the default PostMe endpoint unless you specifically trust the replacement URL.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Scope Creep

High
Confidence
97% confidence
Finding
The skill performs an outbound HTTP upload of local files to a third-party endpoint, while the manifest advertises only read/glob capabilities. This mismatch hides a sensitive data egress operation from the declared interface and can cause agents or users to authorize file access without realizing the contents will be transmitted off-host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description and overview say the skill will deploy local files and return a live URL, but they do not clearly warn that deployment means uploading local project contents to an external service. Without that disclosure, users may unintentionally expose source code, embedded secrets, or private assets under the assumption that this is a local-only publishing step.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill requires an API key for remote deployment but does not adequately warn users about credential handling, transmission, and the trust boundary introduced by sending authenticated requests to an external service. This increases the risk of careless credential use, leakage through logs or prompts, and misunderstanding about how the key is used during deployment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal