ClawHub

Multi Summarize

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Evolink-powered summarizer that sends chosen content to an external API, with a limited temporary-file cleanup weakness but no hidden or unrelated behavior.

Install only if you are comfortable sending summarized URLs, files, transcripts, and prompts to Evolink. Keep SUMMARIZE_SAFE_DIR narrow, avoid summarizing secrets or highly sensitive documents, protect EVOLINK_API_KEY, and be aware that audio transcription uses predictable temporary filenames until the publisher changes it to a private mktemp directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends extracted local file contents or fetched URL contents to a third-party API for summarization, but it does not provide an explicit runtime warning or confirmation before transmission. In a summarization skill, exfiltration to the remote model provider is expected functionality, but the lack of clear user-facing disclosure creates a real privacy and data-handling risk if users summarize sensitive documents unintentionally.

External Transmission

Medium
Category
Data Exfiltration
Content
ESCAPED_USER=$(json_escape "$USER_MSG")

# --- Call Evolink API ---
RESPONSE=$(curl -s "$API_URL" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $API_KEY" \
  -d "{
Confidence
98% confidence
Finding
curl -s "$API_URL" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d

Tool Parameter Abuse

High
Category
Tool Misuse
Content
whisper "$INPUT" --model base --output_format txt --output_dir /tmp 2>/dev/null
        BASENAME=$(basename "$INPUT" | sed 's/\.[^.]*$//')
        cat "/tmp/${BASENAME}.txt" 2>/dev/null
        rm -f "/tmp/${BASENAME}.txt" "/tmp/${BASENAME}.json" "/tmp/${BASENAME}.srt" "/tmp/${BASENAME}.vtt" "/tmp/${BASENAME}.tsv" 2>/dev/null
      else
        echo "[Audio file: $INPUT — install openai-whisper for transcription.]"
      fi
Confidence
84% confidence
Finding
rm -f "/tmp/${BASENAME}.txt" "/tmp/${BASENAME}.json" "/tmp/${BASENAME}.srt" "/tmp/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal