ClawHub

HF Spaces

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill does what it claims: it helps use Hugging Face Spaces and inference providers, with ordinary third-party data-sharing considerations.

Install only if you are comfortable using Hugging Face or related inference providers for generation tasks. Avoid sending secrets, private documents, or sensitive media in prompts or files, and use a narrowly scoped Hugging Face token only when authenticated Spaces or inference providers require it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description includes very broad trigger phrases such as general image/video/text-to-speech generation requests, which can cause the skill to activate in many contexts without clear user intent to use HuggingFace services. Because this skill sends prompts and possibly files to third-party Spaces or inference providers, overbroad activation increases the chance of unintended external data disclosure or execution of external-service workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples instruct direct network calls to external HuggingFace Spaces, APIs, and inference providers but do not explicitly warn that user prompts, files, or generated content will be transmitted to third-party services. In a skill that encourages image, audio, and video workflows, this omission is risky because users may unknowingly send sensitive text, media, or tokens off-platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal