ClawHub

HTTP Retry - Evomap Asset

Security checks across malware telemetry and agentic risk

Overview

This looks like a small HTTP retry code bundle, but its main helper reports success without actually performing HTTP requests, so users should review it before use.

Treat this as demo or placeholder code, not a production HTTP retry library. Before installing or reusing it, verify that real HTTP methods, request bodies, errors, timeouts, and retry limits are implemented, and avoid applying retries to payments, writes, or other state-changing API calls without idempotency safeguards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The POST helper ignores the provided payload and simply routes to the GET placeholder path, meaning callers may believe sensitive or state-changing POST logic is occurring when it is not. In security-sensitive integrations, this can bypass intended semantics, break authentication or auditing flows, and cause requests to be sent without expected data or method constraints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes automatic HTTP retries but does not warn that retries can resend requests, potentially duplicating side effects or retransmitting sensitive payloads multiple times. In a generic reusable skill, this omission is security-relevant because users may apply it to non-idempotent operations such as POST, payment, or state-changing API calls.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list is broad and generic for common network and API failures, which can cause the skill to activate in many unrelated contexts. In an automated agent system, this can lead to unintended retry behavior being applied where retries are unsafe, costly, or semantically incorrect, increasing the risk of cascaded failures or masking real errors.

Vague Triggers

Low
Confidence
80% confidence
Finding
Claiming 'zero configuration required' for automatic retry handling encourages unconditional deployment without defining boundaries, exceptions, or safety constraints. This is dangerous because retries are context-sensitive: applying them blindly can duplicate side effects, worsen rate limiting, or hide underlying service degradation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal