ClawHub

Sidekick Os Pro V2.0

Security checks across malware telemetry and agentic risk

Overview

The skill appears aimed at monetization coaching, but it combines sensitive personal/financial profiling with under-disclosed local persistence and market-search behavior.

Install only if you are comfortable sharing business, budget, income-goal, and schedule details with the agent. Avoid entering highly sensitive financial records, credentials, or private client data unless the skill clearly explains storage, deletion, and external-search behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill advertises guidance generation but references scripts that read and write local files without declaring permissions or informing the user. Undeclared file access increases the risk of silent collection or persistence of user data, especially because the skill also asks for detailed personal and project information.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims 'real-time market analysis' and a bounded purpose, but the linked behavior reportedly stores user progress data locally and relies on static trend data rather than true real-time sources. This mismatch can mislead users into sharing sensitive information under false assumptions and can cause decisions based on inaccurate or stale data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs collection of detailed user profile data such as skills, time availability, budget, income goals, industry background, and device conditions, but provides no privacy notice, consent mechanism, or data-handling limits. In the context of a monetization-planning skill, this information can reveal financial situation and routines that users may not expect to be stored or reused.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill mandates 'real-time market searches' and analysis but does not warn users that external or networked lookups may occur. This can expose user-provided context or queries to third-party services and creates an expectation gap around data sharing and connectivity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal