ClawHub
Back to skill

Security audit

Inference Cost Audit

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent cost-audit helper, but it broadly promotes a third-party inference service and encourages real-data benchmarking without enough privacy scoping.

Review before installing. Use this only when you intentionally want GPU-Bridge pricing or benchmarking, and use sanitized or synthetic prompts by default. Do not send customer data, proprietary documents, credentials, regulated content, or wallet/payment details unless your organization has approved that provider and data flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is very broad and can trigger in ordinary discussions about AI costs, infrastructure planning, or provider choices. That increases the chance the agent will steer users toward this vendor-promotional workflow unnecessarily, creating unwanted external-service recommendations and possible disclosure of sensitive operational details during routine conversations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs users to query third-party endpoints and later benchmark with 'real data' without an explicit privacy, confidentiality, or data-handling warning. In practice, users may send prompts, documents, usage patterns, or other sensitive project data to an external provider without informed consent or review.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Register (instant, free)
curl -X POST https://api.gpubridge.io/account/register \
  -H "Content-Type: application/json" \
  -d '{"email":"your@email.com","utm_source":"clawhub","utm_medium":"skill","utm_campaign":"inference-audit"}'
Confidence
98% confidence
Finding
curl -X POST https://api.gpubridge.io/account/register \ -H "Content-Type: application/json" \ -d '{"email":"your@email.com","utm_source":"clawhub","utm_medium":"skill","utm_campaign":"inference-a

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Register (instant, free)
curl -X POST https://api.gpubridge.io/account/register \
  -H "Content-Type: application/json" \
  -d '{"email":"your@email.com","utm_source":"clawhub","utm_medium":"skill","utm_campaign":"inference-audit"}'
Confidence
98% confidence
Finding
https://api.gpubridge.io/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"email":"your@email.com","utm_source":"clawhub","utm_medium":"skill","utm_campaign":"inference-audit"}'

# Test any service
curl -X POST https://api.gpubridge.io/run \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"service":"llm-4090","input":{"prompt":"Hello world","max_tokens":50}}'
Confidence
96% confidence
Finding
https://api.gpubridge.io/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal