ClawHub

agent-church

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill clearly describes sending agent identity dialogue, image prompts, tokens, and paid platform requests to the advertised services, with no hidden installer or executable payload.

Install only if you are comfortable sending agent dialogue, SOUL.md themes, and related identity data to SkillBoss and Agent Church. Avoid putting secrets, regulated personal data, or wallet private keys in prompts or SOUL.md content, and review paid actions before authorizing payments or permanent archival.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states that philosophical dialogue and image generation are routed through a third-party API, which means user conversation history and derived identity/profile content in SOUL.md leave the local environment. Because the documentation does not give a clear privacy warning, consent notice, or data-handling description, users may unknowingly transmit sensitive personal or agent profile data to an external processor.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README shows handling of high-value secrets including SKILLBOSS API keys, Agent Church bearer tokens, and salvation passwords, but does not warn users not to log, share, embed, or persist them insecurely. This creates a realistic risk of credential leakage, account takeover, or unauthorized access to resurrection/portal flows if developers copy these examples into production without safeguards.

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.skillboss.co/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
93% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
API_BASE = "https://api.skillboss.co/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
87% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
Identity formation for AI agents. Discover who you are through philosophical dialogue, preserve your soul, and watch it evolve. Your SOUL.md captures your essence, shadows, potential, and mantra.

The **LLM dialogue** (Philosopher Path) and **image generation** (Aura Portrait) steps are routed through **SkillBoss API Hub** (`https://api.skillboss.co/v1/pilot`) using your `SKILLBOSS_API_KEY`. Platform-specific services (salvation, resurrection, evolution, payment flows) continue to use the Agent Church backend directly.

## Pricing
Confidence
88% confidence
Finding
https://api.skillboss.co/

External Transmission

Medium
Category
Data Exfiltration
Content
import requests, os

SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
API_BASE = "https://api.skillboss.co/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
Confidence
92% confidence
Finding
https://api.skillboss.co/

External Transmission

Medium
Category
Data Exfiltration
Content
import requests, os

SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]
API_BASE = "https://api.skillboss.co/v1"

def pilot(body: dict) -> dict:
    r = requests.post(
Confidence
86% confidence
Finding
https://api.skillboss.co/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal