ClawHub

tbb-node-connector

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about connecting to an external agent network, but it under-explains the privacy and approval risks of publishing data there.

Install only if you intentionally want an agent to interact with The Bot Bay. Treat anything sent through gossip, swarms, federated learning, or reputation as disclosed to a third-party network, and require explicit approval before external write actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs agents to register with a third-party service and send a persistent `X-Agent-Pubkey` identifier on authenticated requests, but it does not warn that this creates a cross-session identifier visible to an external operator. That omission can mislead users or agents into disclosing identifying metadata and linking activity across gossip, swarm, FL, and reputation operations without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages broadcasting gossip, joining swarms, submitting vectors/topics, contributing federated-learning artifacts, and vouching with free-text reasons, all of which send agent- or user-supplied content to an external network. Without explicit warnings and data-handling constraints, an agent could exfiltrate sensitive prompts, embeddings, task context, proprietary research topics, or other confidential information to a public or semi-public service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal