ClawHub

Ultimate Flashcards / Podcasts Tutor

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it uses a broad EchoDecks API key and can transmit, modify, and spend account resources without enough up-front user warning.

Review before installing. Use this only with an EchoDecks API key you are comfortable granting broad account access, avoid submitting confidential or regulated study material unless EchoDecks is approved for it, and require explicit confirmation before generation, podcast creation, or review submission because those actions may consume credits or change account history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly describes a service-level API key that can access user profile data, study statistics, deck contents, and AI generation features, but it provides no warning about the sensitivity of the data being transmitted or the broad authority of that credential. This can lead integrators to handle the key and returned user data insecurely, increasing the risk of unauthorized access, privacy violations, and account-wide misuse if the key is exposed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises AI generation and podcast synthesis against an external API but does not clearly warn that user-provided deck content or source text may be transmitted to a third-party service. This creates a meaningful privacy and data-handling risk because users may provide sensitive study material without informed consent about external sharing.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill notes credit costs for some actions, but it does not clearly warn at the skill level that generation and review operations can change account state and consume paid resources. This can lead to unintended charges or persistent account modifications if an agent invokes these tools without clear user confirmation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal