ClawHub

Specter CLI – AI powered startup and deal sourcing

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Specter CLI guide whose sensitive actions are purpose-aligned, but users should handle API keys, personal data, file inputs, and delete commands carefully.

Before installing, review the referenced CLI repository and dependencies, use a revocable or least-privileged Specter API key where possible, avoid submitting confidential or regulated data unless approved for Specter processing, and confirm exact IDs before remove or delete commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents multiple destructive delete operations for lists and saved searches without any warning, confirmation guidance, or caution about irreversibility. In an agent setting, this increases the risk of accidental data loss or unsafe automation because a user may invoke deletion commands without understanding the consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes people enrichment, email lookup, and reverse-email lookup capabilities without any privacy, consent, or data-handling warning. This can lead to misuse of personal data and noncompliant processing of PII, especially when an agent may automate lookups at scale.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The entity extraction commands accept raw text or file input but do not warn that supplied content may be transmitted to the Specter service. Users may inadvertently send confidential, proprietary, or regulated data to a third party, which is especially risky in agent workflows that may pass file contents automatically.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal