ClawHub

DSCVR Intelligence Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed DSCVR API client that reads DSCVR credentials and sends user-directed queries to DSCVR services, with no evidence of hidden persistence, destructive actions, or unrelated data access.

Install this only if you intend to query DSCVR and are comfortable using DSCVR API credentials. Keep DSCVR_SECRET_KEY private, use the default or another trusted DSCVR API base URL, and review any raw GraphQL query before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs use of environment variables for API credentials and repeated outbound network access, but the skill does not declare corresponding permissions. That mismatch weakens platform trust boundaries: users or orchestrators may not realize the skill can access secrets and call external services, increasing the risk of unintended credential exposure or unauthorized data exfiltration if the implementation is modified or abused.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The README states that the skill performs authenticated API calls to DSCVR services but does not clearly disclose that user prompts or query parameters may be transmitted to an external third-party service. In an agent skill context, this creates a real transparency and privacy issue because users may unknowingly send sensitive market interests, wallet-related queries, or other data off-platform.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal