ClawHub

Rtk Compress

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward command-output compression skill, but users should remember that wrapped commands keep the same power and privacy risks as the original commands.

Install only if you trust the rtk CLI and want agents to route command output through it. Prefer Homebrew or a pinned release over the curl-to-shell installer, keep normal approval boundaries for commits, pushes, deployments, production cluster access, and network calls, and avoid printing secret-bearing environment variables unless values are redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents repository-modifying commands such as git add, commit, push, and pull without warning that they change local or remote state. In an agent setting, presenting these as routine compressed wrappers can normalize destructive or unauthorized actions and increase the chance that an agent performs them without explicit user approval.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented GitHub, curl, wget, docker/kubectl logs, and related commands can contact external services or transmit repository, environment, or service data, but the skill provides no warning about network access or data exfiltration risk. In an agent workflow, this omission is dangerous because the wrapper may make networked commands look as harmless as local token-saving utilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises environment inspection via 'rtk env -f AWS' without warning that environment variables frequently contain secrets such as cloud credentials, tokens, or API keys. Even filtered or compressed output can still disclose sensitive values into logs, model context, or downstream tooling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal