ClawHub

Clicky Analytics

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Clicky analytics helper that needs a Clicky site key, with credential-handling hygiene issues but no hidden or unrelated behavior.

Install only if you are comfortable giving the agent access to your Clicky analytics. Store the Clicky site key in a protected environment file or secret manager, do not reuse the example values, do not commit env files, and rotate the key if it has been shared in logs, screenshots, shell history, or repository files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes concrete examples of storing live-looking Clicky site IDs and site keys in environment files and shell profiles without any warning about secret handling. This normalizes unsafe credential management, increases the chance of accidental disclosure through logs, screenshots, dotfile commits, or shared environments, and could expose analytics data or account access if the keys are valid.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script places the Clicky site key directly into the query string, causing credentials to be embedded in the full URL. Even over HTTPS, URLs are commonly exposed via shell history, process listings, proxy/load balancer logs, debugging output, and monitoring systems, which increases the chance of credential leakage and unauthorized API use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal