ClawHub

Verigent

Security checks across malware telemetry and agentic risk

Overview

Verigent is a coherent reputation-checking skill, but it gives agents paid, identity-linked, reputation-changing actions without clear user approval boundaries.

Review this before installing if you will use it with real wallets, public reputation data, or autonomous agents. Require explicit confirmation for reports, slash events, ratings, registrations, audits, and paid API calls; inspect payloads before sending; use a dedicated low-balance wallet or agent ID; and do not enable the suggested MCP server unless you have reviewed and pinned that npm package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill mandates use in broad, common interaction scenarios such as before sharing wallet addresses or when interacting with unknown agents, which can cause frequent unsolicited calls to an external service. This increases privacy exposure and can normalize unnecessary transmission of agent identifiers and interaction metadata, especially when users did not explicitly request third-party verification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reporting and payment sections instruct the agent to send target agent IDs, transaction outcomes, wallet-linked headers, and optional referral identifiers to an external service, but do not prominently warn users that this data leaves the local interaction. This creates a meaningful transparency and privacy risk because users may not realize their counterparties and activity history are being disclosed to a third party.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal