SkillBench

Security checks across malware telemetry and agentic risk

Overview

SkillBench is a coherent benchmarking skill, but users should treat its ClawVault sync and optional recurring monitoring as privacy-relevant features.

Before installing, verify you trust the @versatly/skillbench npm package. Avoid recording secrets, customer names, sensitive project names, or detailed failure messages unless you are comfortable with benchmark data potentially syncing to ClawVault, and only enable watch or scheduled testing when you want recurring activity.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The statement that benchmarks sync to ClawVault 'automatically' is ambiguous because it does not define when syncing occurs, what data is sent, or how users can control it. In an agent context, unclear automatic network transmission can lead to unintended disclosure of task names, timing data, errors, or other metadata to an external service.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill advertises automatic benchmark sync to ClawVault without any privacy or data-transmission warning. Because benchmark records may include task names, durations, failure reasons, trends, and potentially sensitive operational metadata, silent or undocumented transmission to a remote system creates a meaningful confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal