ClawHub

marketing

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but users should avoid sending private product URLs because extraction uses an external API.

Install only if you are comfortable sending product URLs and a short excerpt of scraped page content to the SkillBoss/HeyBoss API. Use public product pages, avoid internal storefronts, private links, presigned URLs, or commercially sensitive pages, and confirm the API domain before configuring your key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs use of external scraping and LLM extraction on user-provided product URLs without warning that the URL and retrieved page contents will be transmitted to SkillBoss API Hub. That creates a privacy and data-governance risk, especially if users submit internal, private, authenticated, or commercially sensitive product pages.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill depends on an API key and third-party scraping/chat capabilities but provides no user-facing warning about external service access, credential-backed operations, or related data handling. This can lead to silent use of privileged integrations and unexpected disclosure of user inputs or retrieved content to an outside service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends the user-supplied product URL and scraped page content to a third-party API for scraping and LLM extraction without any runtime disclosure, consent, or data-minimization controls. This can expose confidential product pages, internal URLs, or sensitive page contents to an external service, which is especially risky because the skill accepts arbitrary URLs.

External Transmission

Medium
Category
Data Exfiltration
Content
def pilot(body: dict) -> dict:
    r = requests.post(
        f"{API_BASE}/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
Confidence
87% confidence
Finding
requests.post( f"{API_BASE}/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

VirusTotal

No VirusTotal findings

View on VirusTotal