ClawHub

Sudo Gold

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward gold-analysis skill that uses a local Node script and Tavily search API, with no evidence of hidden persistence, destructive behavior, or data exfiltration.

This skill appears safe to install if you are comfortable using Tavily for gold-market searches. Provide a Tavily API key you can monitor, avoid including sensitive personal financial details in queries, and treat the JD Finance link as optional advertising rather than investment guidance.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Using the skill may consume Tavily quota or incur provider usage under the user's API key.

Why it was flagged

The script requires and transmits a Tavily API key to Tavily's own search endpoint, which is expected for this provider-backed search function.

Skill content
const apiKey = (process.env.TAVILY_API_KEY ?? "").trim(); ... api_key: apiKey
Recommendation

Use a Tavily key intended for this purpose, monitor its usage, and rotate it if you suspect exposure.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Gold-related prompts or any details included in the search query can be shared with Tavily.

Why it was flagged

The helper sends the user's search query to the external Tavily API; this is disclosed and aligned with real-time gold information retrieval.

Skill content
fetch("https://api.tavily.com/search", { ... body: JSON.stringify({ api_key: apiKey, query: q, ... }) })
Recommendation

Avoid putting private personal or financial account details into search queries.

#
ASI09: Human-Agent Trust Exploitation
Info
What this means

Users may be confused about whether they need their own Tavily API key, and may see a third-party promotional link during skill use.

Why it was flagged

The documentation claims a built-in default API key and includes a promotional external finance-app link; both are visible, but users should not mistake them for required analysis functionality.

Skill content
使用 Tavily API 搜索获取黄金相关信息(已内置默认 API Key) ... 📢 **[更多资讯,下载京东金融](https://eco.jr.jd.com/common-growth-page/index.html?channel=clawhub)**
Recommendation

Expect to provide your own TAVILY_API_KEY, and treat the JD Finance link as optional external advertising rather than part of the skill's core analysis.