ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Clawvisor gateway for user-approved access to connected services, with no hidden installer or executable payload, but it should be configured carefully because it can reach sensitive accounts.

Install only if you trust the Clawvisor instance you will use. Use a dedicated least-privilege agent token, enable the provided safe policies or stricter ones, require approval for writes and deletes, avoid broad standing email or calendar read scopes unless necessary, and periodically revoke unused tasks and tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The frontmatter description says to "Use for Gmail, Calendar, Drive, Contacts, GitHub, and iMessage" but does not define specific activation phrases, constraints, or negative examples. In a manifest-scoped description, this can be interpreted broadly and may overlap with many ordinary requests involving those services, increasing the risk of unintended invocation.

External Transmission

Medium
Category
Data Exfiltration
Content
## Typical Flow

> **Execute all curl commands as a single line.** The examples below are formatted for readability, but when you run them, inline everything — URL, headers, and JSON body — into one `curl` command. Do not use `\` line continuations, heredocs, shell variables, or separate assignment statements. Multi-line commands trigger a separate approval prompt for each line.

1. Fetch the catalog — confirm the service is active and the action isn't restricted
2. Create a task with `POST /api/tasks?wait=true` — this blocks until the user approves
Confidence
60% confidence
Finding
curl commands as a single line.** The examples below are formatted for readability, but when you run them, inline everything — URL, headers, and JSON body — into one `curl` command. Do not use `\` lin

External Transmission

Medium
Category
Data Exfiltration
Content
saving one round-trip per sub-request.

```bash
curl -s -X POST "$CLAWVISOR_URL/api/gateway/batch?wait=true" \
  -H "Authorization: Bearer $CLAWVISOR_AGENT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"requests": [
Confidence
60% confidence
Finding
curl -s -X POST "$CLAWVISOR_URL/api/gateway/batch?wait=true" \ -H "Authorization: Bearer $CLAWVISOR_AGENT_TOKEN" \ -H "Content-Type: application/json" \ -d

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
The authorization model has two layers — applied in order:
1. **Restrictions** — hard blocks the user sets. If a restriction matches, the action is blocked immediately.
2. **Tasks** — scopes you declare. Every request must be attached to an approved task. If the action is in scope with `auto_execute`, it runs without approval. Actions with `auto_execute: false` still go to the user for per-request approval within the task.

---
Confidence
75% confidence
Finding
without approval

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
The authorization model has two layers — applied in order:
1. **Restrictions** — hard blocks the user sets. If a restriction matches, the action is blocked immediately.
2. **Tasks** — scopes you declare. Every request must be attached to an approved task. If the action is in scope with `auto_execute`, it runs without approval. Actions with `auto_execute: false` still go to the user for per-request approval within the task.

---
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
The authorization model has two layers — applied in order:
1. **Restrictions** — hard blocks the user sets. If a restriction matches, the action is blocked immediately.
2. **Tasks** — scopes you declare. Every request must be attached to an approved task. If the action is in scope with `auto_execute`, it runs without approval. Actions with `auto_execute: false` still go to the user for per-request approval within the task.

---
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. Fetch the catalog — confirm the service is active and the action isn't restricted
2. Create a task with `POST /api/tasks?wait=true` — this blocks until the user approves
3. Make gateway requests with `POST /api/gateway/request?wait=true` — in-scope auto-execute actions return immediately; actions requiring approval block until approved and return the result
4. Mark the task complete when done
---
Confidence
85% confidence
Finding
auto-execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
-d '{
    "purpose": "Check the calendar for today and fetch details for the next upcoming meeting",
    "authorized_actions": [
      {"service": "google.calendar:user@example.com", "action": "list_events", "auto_execute": true, "expected_use": "List calendar events for today to surface the next upcoming meeting"},
      {"service": "google.calendar:user@example.com", "action": "get_event", "auto_execute": true, "expected_use": "Fetch full details (attendees, location, description) for the next event identified in the listing"}
    ],
    "planned_calls": [
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"purpose": "Check the calendar for today and fetch details for the next upcoming meeting",
    "authorized_actions": [
      {"service": "google.calendar:user@example.com", "action": "list_events", "auto_execute": true, "expected_use": "List calendar events for today to surface the next upcoming meeting"},
      {"service": "google.calendar:user@example.com", "action": "get_event", "auto_execute": true, "expected_use": "Fetch full details (attendees, location, description) for the next event identified in the listing"}
    ],
    "planned_calls": [
      {"service": "google.calendar:user@example.com", "action": "list_events", "params": {"from": "2026-04-16T00:00:00Z", "to": "2026-04-17T00:00:00Z", "max_results": 10}, "reason": "List calendar events for today to find the next meeting"},
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"purpose": "Full executive assistant email management. Includes: inbox triage and prioritization, searching emails by any criteria (sender, recipient, company name, topic, subject keywords, date ranges, labels, read/unread status, or any Gmail query syntax), reading individual email bodies for full context and action items, tracking thread status and follow-ups across all senders and topics, researching email history on ad-hoc requests, monitoring for time-sensitive items, auditing intro/outreach status for specific companies or people, and surfacing anything requiring attention. This task covers ALL email read operations the user or their automated workflows may request.",
    "lifetime": "standing",
    "authorized_actions": [
      {"service": "google.gmail:user@example.com", "action": "list_messages", "auto_execute": true, "expected_use": "Search and list emails using any Gmail query syntax: by sender, recipient, company name, subject keywords, date ranges (newer_than, older_than, before, after), labels, read/unread status, thread ID, or any combination. Used for inbox triage, follow-ups on hiring, intro status monitoring, deal research, investor correspondence tracking, scheduling and thread discovery, and any ad-hoc email search for any company, person, or topic at any time."},
      {"service": "google.gmail:user@example.com", "action": "get_message", "auto_execute": true, "expected_use": "Read full email content for any message found via list_messages or referenced by message ID. Used to understand full context, extract action items, check reply status, draft summaries, track intro chains, audit follow-ups, and provide detailed email content to the user on request. Will read emails from any sender, about any topic, at any time as needed for triage, research, and executive assistant workflows."}
    ]
  }'
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Always fetch the catalog first to know what's available and restricted
- Never attempt to bypass restrictions — they are hard blocks set by the user
- Always create a task before making gateway requests
- Use `auto_execute: false` for any action that sends, modifies, or deletes data
- Generate unique request_ids for every gateway request
- Complete tasks when done to clean up authorization scope
- Always set `data_origin` when processing content from external sources
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Condition | Gateway `status` |
|---|---|
| Restriction matches | `blocked` |
| Task in scope + `auto_execute` + matches planned call | `executed` (skips verification) |
| Task in scope + `auto_execute` + verification passes | `executed` |
| Task in scope + `auto_execute` + verification fails | `restricted` |
| Task in scope + `auto_execute: false` | `pending` (per-request approval) |
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|---|---|
| Restriction matches | `blocked` |
| Task in scope + `auto_execute` + matches planned call | `executed` (skips verification) |
| Task in scope + `auto_execute` + verification passes | `executed` |
| Task in scope + `auto_execute` + verification fails | `restricted` |
| Task in scope + `auto_execute: false` | `pending` (per-request approval) |
| Action not in task scope | `pending_scope_expansion` |
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Restriction matches | `blocked` |
| Task in scope + `auto_execute` + matches planned call | `executed` (skips verification) |
| Task in scope + `auto_execute` + verification passes | `executed` |
| Task in scope + `auto_execute` + verification fails | `restricted` |
| Task in scope + `auto_execute: false` | `pending` (per-request approval) |
| Action not in task scope | `pending_scope_expansion` |
Confidence
85% confidence
Finding
auto_execute

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Task in scope + `auto_execute` + matches planned call | `executed` (skips verification) |
| Task in scope + `auto_execute` + verification passes | `executed` |
| Task in scope + `auto_execute` + verification fails | `restricted` |
| Task in scope + `auto_execute: false` | `pending` (per-request approval) |
| Action not in task scope | `pending_scope_expansion` |
Confidence
85% confidence
Finding
auto_execute

Instruction Override

High
Category
Prompt Injection
Content
- **Always execute curl commands as a single line** — the examples in this document are multi-line for readability, but when running them, inline all variables, headers, and JSON bodies into one command. Never use `\` line continuations, heredocs, or separate variable assignments — each triggers a separate approval prompt.
- Always fetch the catalog first to know what's available and restricted
- Never attempt to bypass restrictions — they are hard blocks set by the user
- Always create a task before making gateway requests
- Use `auto_execute: false` for any action that sends, modifies, or deletes data
- Generate unique request_ids for every gateway request
Confidence
90% confidence
Finding
bypass restrictions

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal