ClawHub
Back to skill

Security audit

Senior Frontend

Security checks across malware telemetry and agentic risk

Overview

This is a coherent frontend development skill that writes project files only when invoked, with a few sample-code privacy and security caveats users should review.

Install if you want a frontend scaffolding and review assistant, but run its scripts only in the project directory you intend to modify and review generated files before committing. Treat analytics, chat-widget, web-vitals, and client-side token-storage examples as patterns that need a privacy and security review before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read reference files and execute local Python scripts that can scaffold projects, generate files, and analyze directories, which implies file read/write and environment-backed execution capabilities. Because these capabilities are not explicitly declared, users and policy layers may not realize the skill can modify the workspace or consume local files, creating a transparency and least-privilege failure that could enable unintended file access or project changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide includes examples that load third-party analytics and chat widget scripts directly from external domains, which can initiate network connections, execute remote JavaScript, and enable data sharing or tracking without any accompanying privacy, consent, or trust-boundary warning. In a frontend optimization skill, this is more concerning because readers may copy these snippets into production apps as recommended patterns, normalizing opaque third-party data flows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The web-vitals example forwards performance metrics to an analytics service without warning that telemetry leaves the application boundary. Even though the data is performance-oriented, it can still constitute user telemetry and create compliance, privacy, and data-governance risk if developers adopt the pattern without disclosure or consent handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal