Back to skill

Security audit

Clawdhub

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward ClawdHub CLI reference for installing, updating, and publishing skills, with no hidden execution, but users should treat update and publish commands carefully.

Install only if you intend to use the ClawdHub CLI. Avoid running `--all`, `--force`, or `--no-input` update commands unless you are comfortable changing many installed skills without review, and inspect any skill folder before publishing it to a registry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly documents forceful and non-interactive update commands such as `clawdhub update --all --no-input --force` without any safety guidance. In an agent context, this can cause unattended bulk modification of many local skill files, increasing the chance of accidental overwrite, supply-chain exposure, or propagation of unreviewed remote changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes a publish command that uploads a local skill directory to a remote registry but does not warn that local contents may include sensitive files, secrets, or proprietary code. In a tool-using agent setting, this omission is risky because users may treat publishing as routine and inadvertently exfiltrate data to an external service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.