ClawHub

Knowledge Graph - API Ingestion Connectors

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward API-ingestion helper; it handles credentials and external API data by design, with no evidence of hidden collection, persistence, or destructive behavior.

Install only if you intend to build API ingestion workflows. Use least-privilege tokens, keep secrets in environment variables or a secrets manager, avoid logging Authorization headers or request bodies, and confirm that the data you ingest is allowed to leave the source system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly accepts authentication credentials and connects to third-party APIs, but it does not clearly warn users that secrets and potentially sensitive payload data will be transmitted to external services. In a data-ingestion context, this omission can lead to accidental disclosure of tokens, personal data, or proprietary records to unintended endpoints or environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples repeatedly demonstrate authenticated requests to third-party services and include secret-bearing fields such as bearer tokens, API keys, client secrets, and basic auth credentials, but provide no warning about secure secret handling, least-privilege scopes, log redaction, or the privacy implications of sending data to external APIs. In a connector/ingestion skill, users are likely to copy these patterns directly into production ETL flows, which increases the risk of accidental secret exposure and unintended transmission of sensitive data off-platform.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The document provides concrete patterns for POST bodies and multiple authentication schemes that send data and credentials to external APIs, but it does not prominently warn about the risk of transmitting sensitive user, system, or regulated data. In an ingestion connector skill, that omission matters because users may adapt these examples directly for ETL pipelines and unknowingly exfiltrate secrets or personal data to third-party services.

External Transmission

Medium
Category
Data Exfiltration
Content
### Request Format

```bash
GET https://api.github.com/users?page=1&per_page=30
Authorization: Bearer ghp_xxxxxxxxxxxxxxxxxxxx
```
Confidence
98% confidence
Finding
https://api.github.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal